Flash 0-day in the wild – patch now!


This past Patch Tuesday, Adobe released, well, nothing. Given that the past few months of Adobe Patch Tuesdays have been gradually diminishing, perhaps some of us thought these Flash-related patches were going the way of the dodo.

Alas, it was wishful thinking.

Six days after Patch-Tuesday-that-wasn’t, Adobe has released an out-of-band patch for Flash in response to a zero-day vulnerability that’s being exploited in the wild.

This Flash vulnerability, CVE-2017-11292, could allow remote code execution, and is rated as Critical. It affects Flash both in browsers and on desktop players, on Windows, Mac, Linux, and Chrome OS.

Adobe notes that this vulnerability is being exploited in the wild, specifically by a criminal group that has previously used other Flash vulnerabilities to carry out their attacks.

Sophos disrupts the attack by blocking the URL that malware is downloaded from, and by detecting the malware itself as Mal/Generic-S.

Nevertheless, if you’re still using Adobe Flash, you should patch right away.

But better yet, get rid of Flash altogether (if you can).

Even Adobe knows that its beleaguered media player’s days are numbered. Browser vendors have been trying to sweep it further and further under the rug for years and in July Adobe announced that it was finally pulling the plug.

By the end of 2020.

Given this progress, and in collaboration with several of our technology partners – including Apple, Facebook, Google, Microsoft and Mozilla – Adobe is planning to end-of-life Flash. Specifically, we will stop updating and distributing the Flash Player at the end of 2020 and encourage content creators to migrate any existing Flash content to these new open formats.

There’s another forty or so Patch Tuesdays between now and then.

Flash’s days are very numbered but it’s having an agonising, protracted exit. For everyone’s sake its demise really can’t come soon enough. Adobe’s waiting until 2021, you don’t have to.