Adobe is promising a patch “as early as June 16” for a critical Flash vulnerability, CVE-2016-4171, that’s being exploited in-the-wild. All Flash players in all browsers on all supported operating systems (Windows, Macintosh, Linux and Chrome OS) are at risk.
Update APSA16-03 from Adobe describes the situation as follows:
A critical vulnerability (CVE-2016-4171) exists in Adobe Flash Player 22.214.171.124 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe is aware of a report that an exploit for CVE-2016-4171 exists in the wild, and is being used in limited, targeted attacks. Adobe will address this vulnerability in our monthly security update, which will be available as early as June 16.
The announcement maintains Flash’s unofficial but thoroughly deserved status as the go-to destination for criminals looking for browser-based exploits.
Sadly, this year’s run of four updates in four months isn’t the worst it’s been.
Past performance isn’t necessarily indicative of future results but anyone still using Flash needs to ask themselves: just how bad do things have to get before I’ll remove it?
Yes, there are still some useful things that rely on Flash, but events are catching up to them fast.
iOS users have lived without Flash from the get-go. Google’s Chrome browser is hurriedly bundling Flash towards the exit door, and Apple is set to follow suit in its upcoming version of MacOS.