Skip to content
Naked Security Naked Security

Flash zero-day fix is out, get it ASAP

Flash 0-day! To misquote Yogi Berra, it's like déjà vu all over again all over again...

Two days ago we wrote about CVE-2016-4171, a security vulnerability that doesn’t have a fancy name, but if it did, it might be FourthTimeUnlucky.

That’s the bug that necessitated the fourth Adobe zero-day Flash update in four months, following similar patches that shipped in March, April and May 2016.

A zero-day is a security exploit that comes out before any updates were available, thus giving even the most zealous sysdamin zero days of advance warning to patch against it.

And a security exploit is a bug that crooks can use not only to crash your computer, but also to gain control over it from the other side of the world without warning.

The silver lining, if you want to find one, is that some zero days, being new and not very well tested, don’t work reliably on all computers.

Furthermore, not all zero days are immediately widely available in the cybercriminal underground, because the crooks who figured them out want to keep them to themselves for a while.

But that’s only if you want to find a silver lining.

Any zero-day exploit needs to be treated as a leaden thundercloud, with heavy rain and lightning strikes likely.

As regular readers will know, we regularly repeat the mantra “Patch early, patch often” as a way of staying ahead of the crooks as much as you can…

…but when it comes to zero days, you can replace that saying with “Patch right now.”

With that in mind, make sure you’ve received Adobe’s latest patch for Flash, which the company said it would deliver this week, in double-quick time, and did.

If you haven’t installed the patch yet, make sure that’s because you don’t have Flash installed at all, so there’s nothing to patch.

More and more people are learning to live without Flash plugged into their browser, because most sites these days work perfectly well without it. (If they didn’t, they wouldn’t work with iOS or Android, neither of which have support for Flash at all.)

The new version numbers to look out for are:

  • Flash Player Desktop Runtime (Windows and Mac), from Adobe.
  • Flash Player Extended Support Release (Windows and Mac), from Adobe.
  • Flash Player for Google Chrome (Windows, Mac, Linux and ChromeOS), from Google.
  • Flash Player for Microsoft Edge and IE 11 (Windows 8.1 and 10), from Microsoft.
  • Flash Player for Linux, from Adobe.

Note. If you’re a Sophos customer, and you want to measure how widespread Flash is inside your organisation, with a view to blocking it for safety’s sake, you can do both of these with Sophos’s Application Control feature.


I “ditched” Flash Player years ago but I fin I have “Air”(???) on my new laptop.
What the heck is it needed for? ( I can’t figure out what needs it.)
Can I safely ditch it too?


ScarCruft’s targets are not home users, but high profile enterprises and organizations around the world. Nevertheless, all users are advised to upgrade to the newest Flash Player version as soon as possible.

For one, it’s likely that the patch will be reverse-engineered very quickly, an exploit created and added to an exploit kit to target all users who are casual with keeping their software updated.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!