Adobe has released a critical software update to fix nearly two-dozen security holes in its Flash Player browser plugin. Separately, I want to take a moment to encourage users who have Adobe Shockwave Player installed to finally junk this program; turns out Shockwave — which comes with its own version of Flash — is still many versions behind in bundling the latest Flash fixes.
If you use and need Flash Player, it’s time to update the program (the latest version is 19.0.0.185 for Windows and Mac users). Google Chrome and Internet Explorer bundle their own versions of Flash (also now at v. 19.0.0.185); each should auto-update to the latest. Find out if you have Flash installed and its current version number by visiting this page.
Adobe said it was unaware of any exploits in the wild for the vulnerabilities fixed in this Flash release. Nevertheless, I would recommend that if you use Flash that you strongly consider removing it, or at least hobbling it until and unless you need it. Disabling Flash in Chrome is simple enough, and can be easily reversed: On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”). Windows users can remove Flash from the Add/Remove Programs panel, or use Adobe’s uninstaller for Flash Player.
If you’re concerned about removing Flash altogether, consider a dual-browser approach. That is, unplugging Flash from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Flash.
If you decide to proceed with Flash and update, the most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).
SHOCKWAVE SHOCKER
In other Adobe patch news, on Sept. 8, 2015 I urged readers who have the Shockwave media player installed to update to the latest version or else junk the program altogether. In an post more than a year ago, I outlined Why You Should Ditch Adobe Shockwave, noting that the program bundles a component of Adobe Flash that was more than 15 months behind on security updates.
I checked back with Adobe last week to find out whether the version of Shockwave that the company released earlier this month is caught up on Flash flaws. Turns out, it’s still woefully behind. The version of Shockwave released just two weeks ago bundles the Flash runtime 16.0.0.305, a version of Flash that Adobe released in February 2015.
Translation: The version of Shockwave that Adobe released two weeks ago lacks fixes for a whopping 155 vulnerabilities in Flash that can be used to backdoor virtually any computer running it! Included in those missing fixes are patches for a half-dozen Flash flaws that were being actively exploited at the time they were fixed in Flash Player.
Not sure whether your computer has Shockwave installed? If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave (or in the case of Google Chrome for some reason just automatically downloads the installer), then you don’t have Shockwave installed. To remove Shockwave, grab Adobe’s uninstall tool here. Mozilla Firefox users should note that the presence of the “Shockwave Flash” plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave Player.
Source: Krebs