Flash zero-day in the wild to be fixed by Adobe

This story was originally published after Adobe warned of a coming update but before it was officially available.
The patches have now been published, taking Flash version numbers to: or Extended Support Release for Windows and OS X, and for Linux.

Keep your eye out for critical patches for Adobe Flash.

Adobe has given advance warning that the soon-to-ship update, due later today, fixes a vulnerability that is already being exploited in the wild.

The bug allows an attacker to send booby-trapped content to your browser’s Flash plugin in such a way that your browser will not only crash, but also hand over control to the attacker in the process.

The technical name for that sort of exploit is RCE, short for Remote Code Execution, also known as a drive-by download or a drive-by install, so called because you only need to look at a booby-trapped page to get infected.

There’s no need to take any additional action such as clicking [OK] on a download dialog, or clicking [Ignore] on a security pop-up: drive-by malware infections generally happen, well, in a flash.

Apparently, the only currently-known exploit against the bug, designated CVE-2016-1019, is mitigated by some proactive exploit protection techniques programmed into the last-but-one Flash update (version

In other words, even though the buggy code is present right up to the current version (, both the current and previous versions have enough “defence in depth” to limit the danger of the exploit.

According to Adobe, the recent in-the-wild attacks are only targeting Windows, so OS X and Linux users get off with just a warning.

What to do?

When we write about Flash updates these days, or discuss them in our weekly Chet Chat podcast, we usually recommend trying an experiment: see if you can live without Flash in your browser altogether.

You can either uninstall Flash altogether, or turn it off in browsers where Flash comes built-in, such as Microsoft Edge,

We almost always provoke two sorts of response.

One response comes from people who express surprise that anyone still bothers with Flash at all, because they’ve done without it for years and can’t see what all the fuss is about.

The other reponse comes from people who say that many of their regular online haunts still need Flash, and who express surprise that anyone would seriously consider getting rid of it.

If you do need to keep it, make sure you keep it up to date, and use your browser’s click-to-play feature (also known as ask to activate) so that Flash content doesn’t run without you realising, especially on sites you’ve never visited before.


From EoP to RCE: learn more about vulnerabilities in our Sophos Techknow podcast

(Audio player above not working? Download, or listen on Soundcloud.)