Sophos Cloud Optix
For the second time in two months, Adobe has pushed out a Flash update that’s more than just a nice-to-have.
This one, like last month’s, fixes not only a bunch of holes that crooks would almost certainly try to use if they knew about them, but also a vulnerability that’s already being exploited in the wild for criminal purposes.
That sort of active exploit is known as an 0-day, or zero-day.
The name comes from the early days of computer game piracy: a zero-day crack came out on the very same day as the official release, so that people who wanted to steal the game had zero days to wait compared to those who were prepared to pay for it.
Pirates competed to see who could produce the quickest crack, often for nothing more than bragging rights.
In modern-day cybercrime, the name is applied to an exploit that comes out before an offical patch is ready, so that even well-informed system administrators have zero days during which they could have been patched.
These days, 0-days that work reliably are usually kept as quiet as possible by the crooks.
Bragging simply draws attention to the bug and therefore reduces the amount of money the criminals can squeeze out of unprotected victims before the patch arrives.
That makes updates that fix 0-days more urgent than usual: you’re not patching to get ahead of where the crooks might soon be, but to get ahead of where they already are.
The updated Flash versions are:
- Flash 21.0.0.213 for Windows and OS X.
- Extended Support Release 18.0.0.343 for Windows and OS X.
- Flash 11.2.202.616 for Linux.
To avoid massive spikes in network demand when updates appear, many products introduce random waiting times for automatic updates,
This helps spread the load and reduces the amount of time wasted by failed updates and network congestion. (The update may reach you slightly later, but will reach everybody sooner.)
However, you can trigger a manual update check via the Flash control panel or preferences pane if you like.
Even if you are up-to-date, it’s nice to make sure.
💡 Important information and advice: Flash zero-day in the wild to be fixed by Adobe.
💡 Adobe’s official update notification: Adobe security bulletin APSB16-10.
Uhhh, will Flash for Android be updated?
No. Adobe killed off Flash for Android some years ago. (It was discontinued in Google Play back in 2012, if memory serves, and the last update was in 2013.)
https://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html
“On September 10 2013, Adobe released Flash Player 11.1.111.73 for Android 2.x and 3.x and 11.1.115.81 for Android 4.0.x in keeping with statements made in Adobe’s publicly available Flash Roadmap. This release is the final update release of Flash Player for the Android operating system.”
So long, and thanks for all the phish.
Better question is does Sophos have any updates queued to address the ransomware itself?
Which ransomware do you mean?
Adobe has released both 32 and 64 bit versions of the patch for Windows, but I have a machine running 64 bit Win7 and 32 bit Firefox. The Adobe update only updates the 64 bit version. It took me an hour to find the 32 bit installer for the latest flash version. The update from within Firefox pointed to the 64 bit version (no doubt because Windows was 64 bit). This seems to me to be a bug in Adobe’s patch logic.
There is a 64 but Firefox, but Mozilla warns that things that work in the 32 bit version may not play well in the 64 bit version. I’m waiting until things catch p.
I’m mentioning it here because I suspect that a few people who read this will verify the problem and some of them will know who to report it to at Adobe, moving it from position 3297 on the bug list to a number that will get dealt with this month.
I have v21.0.0.182 on IE11 – can’t see to get latest version! Update options are grayed out on the Flash control panel app… I visit the getflashplayer URL and it just says that Flash is integrated into the browser and I “don’t need to install”.
Any ideas?
If you have a browser with Flash supplied as part of the browser (e.g. IE, Chrome) then you need to get the Flash update from the browser supplier (e.g. Microsoft, Google).
Trying doing a Windows update…