This story was originally published after Adobe warned of a coming update but before it was officially available.
The patches have now been published, taking Flash version numbers to: 126.96.36.199 or Extended Support Release 188.8.131.52321 for Windows and OS X, and 184.108.40.2066 for Linux.
Keep your eye out for critical patches for Adobe Flash.
Adobe has given advance warning that the soon-to-ship update, due later today, fixes a vulnerability that is already being exploited in the wild.
The bug allows an attacker to send booby-trapped content to your browser’s Flash plugin in such a way that your browser will not only crash, but also hand over control to the attacker in the process.
The technical name for that sort of exploit is RCE, short for Remote Code Execution, also known as a drive-by download or a drive-by install, so called because you only need to look at a booby-trapped page to get infected.
There’s no need to take any additional action such as clicking [OK] on a download dialog, or clicking [Ignore] on a security pop-up: drive-by malware infections generally happen, well, in a flash.
Apparently, the only currently-known exploit against the bug, designated CVE-2016-1019, is mitigated by some proactive exploit protection techniques programmed into the last-but-one Flash update (version 220.127.116.11).
In other words, even though the buggy code is present right up to the current version (18.104.22.168), both the current and previous versions have enough “defence in depth” to limit the danger of the exploit.
According to Adobe, the recent in-the-wild attacks are only targeting Windows, so OS X and Linux users get off with just a warning.
What to do?
When we write about Flash updates these days, or discuss them in our weekly Chet Chat podcast, we usually recommend trying an experiment: see if you can live without Flash in your browser altogether.
You can either uninstall Flash altogether, or turn it off in browsers where Flash comes built-in, such as Microsoft Edge,
We almost always provoke two sorts of response.
One response comes from people who express surprise that anyone still bothers with Flash at all, because they’ve done without it for years and can’t see what all the fuss is about.
The other reponse comes from people who say that many of their regular online haunts still need Flash, and who express surprise that anyone would seriously consider getting rid of it.
If you do need to keep it, make sure you keep it up to date, and use your browser’s click-to-play feature (also known as ask to activate) so that Flash content doesn’t run without you realising, especially on sites you’ve never visited before.
From EoP to RCE: learn more about vulnerabilities in our Sophos Techknow podcast
(Audio player above not working? Download, or listen on Soundcloud.)
10 comments on “Flash zero-day in the wild to be fixed by Adobe”
It looks that the new 22.214.171.124 is already available for download at the old DL-page:
Good news. That’s gone live since I last looked an hour or three ago. (That would have been about 2016-04-07T12:00Z.) Get it while it’s hot, folks…
Nice, I didn’t know IE could be set to be Click to play. I will test this on our workstations to see if we can get rid of Flash, while letting people enable it without calling the help desk while testing.
Make click to play; lick on Gear/Manage Add-ons/Toolbars and Extensions/Shockwave Flash Object/More information/Remove all sites/Close
Flash Flash go away come back some other …..
Please don’t tell me Flash is making a comeback, I thought we were done with it a long time ago (I know I was).
Paul I worked out what was causing the break in SSL on this site and others 😉
As Mark Twain once said, “The report of my death was an exaggeration.” So too for Flash.
I went to the download centre but the update is not there yet. My Win 7 is only offered 126.96.36.199 which I already have.
You could try the link posted above by @florian (just change “ch_de” in his URL to say “uk”, or remove that part completely, to get the page in English).
Adobe hs been warning about that page being retired for a ehile now, but while it lasts, it’s a convenient place to get standalone installers. (There are legal Ts-and-Cs, please read them 🙂
That means: no need to be online during the install; no foistware; great for updating more than one computer or for reinstalling the latest version afresh.
Thanks for the tip Paul, followed the link and changed the country to -ca- it is still only showing the version I have. Yet the pages for Germany and the UK are offering the update! Maybe because I’m in Canada instead of Europe? I’ll use the link for the installer on the UK page.
There might be some random delays in what gets offered where in order to spread the load. That’s a good idea when you are publishing updates to the whole world.