Critical Flash vulnerability is being exploited in the wild

Flash

Adobe is promising a patch “as early as June 16” for a critical Flash vulnerability, CVE-2016-4171, that’s being exploited in-the-wild. All Flash players in all browsers on all supported operating systems (Windows, Macintosh, Linux and Chrome OS) are at risk.

When it’s released, the patch will mark the fourth such update in four months following similar releases to combat Flash 0-days in March, April and May 2016.

Update APSA16-03 from Adobe describes the situation as follows:

A critical vulnerability (CVE-2016-4171) exists in Adobe Flash Player 21.0.0.242 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2016-4171 exists in the wild, and is being used in limited, targeted attacks. Adobe will address this vulnerability in our monthly security update, which will be available as early as June 16.

The announcement maintains Flash’s unofficial but thoroughly deserved status as the go-to destination for criminals looking for browser-based exploits.

Sadly, this year’s run of four updates in four months isn’t the worst it’s been.

Back in January 2015, Adobe fixed nine Flash vulnerabilities in its patch Tuesday update on 14 January and released three more emergency updates on 23 January, 24 January and 3 February.

Past performance isn’t necessarily indicative of future results but anyone still using Flash needs to ask themselves: just how bad do things have to get before I’ll remove it?

Yes, there are still some useful things that rely on Flash, but events are catching up to them fast.

iOS users have lived without Flash from the get-go. Google’s Chrome browser is hurriedly bundling Flash towards the exit door, and Apple is set to follow suit in its upcoming version of MacOS.

To remove Flash follow Adobe’s guides for uninstalling Flash from Windows and Mac OS X.