Adobe Systems this week rushed out an emergency patch to plug a security hole in its widely-installed Flash Player software, warning that the vulnerability is already being exploited in active attacks.
Adobe said a “critical” bug exists in all versions of Flash including Flash versions 21.0.0.197 and lower (older) across a broad range of systems, including Windows, Mac, Linux and Chrome OS. Find out if you have Flash and if so what version by visiting this link.
In a security advisory, the software maker said it is aware of reports that the vulnerability is being actively exploited on systems running Windows 7 and Windows XP with Flash Player version 20.0.0.306 and earlier.
Adobe said additional security protections built into all versions of Flash including 21.0.0.182 and newer should block this flaw from being exploited. But even if you’re running one of the newer versions of Flash with the additional protections, you should update, hobble or remove Flash as soon as possible.
The smartest option is probably to ditch the program once and for all and significantly increase the security of your system in the process. I’ve got more on that approach (as well as slightly less radical solutions ) in A Month Without Adobe Flash Player.
If you choose to update, please do it today. The most recent versions of Flash should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). Chrome and IE should auto-install the latest Flash version on browser restart (I had to manually restart Chrome to get the latest Flash version).
By the way, I’m not the only one trying to make it easier for people to put a lasso on Flash: In a blog post today, Microsoft said Microsoft Edge users on Windows 10 will auto-pause Flash content that is not central to the Web page. The new feature will be available in Windows 10 build 14316.
“Peripheral content like animations or advertisements built with Flash will be displayed in a paused state unless the user explicitly clicks to play that content,” wrote the Microsoft Edge team. “This significantly reduces power consumption and improves performance while preserving the full fidelity of the page. Flash content that is central to the page, like video and games, will not be paused. We are planning for and look forward to a future where Flash is no longer necessary as a default experience in Microsoft Edge.”
Additional reading on this vulnerability:
Kafeine‘s Malware Don’t Need Coffee Blog on active exploitation of the bug.
Trend Micro’s take on evidence that thieves have been using this flaw in automated attacks since at least March 31, 2016.
Source: Krebs