In news that can surely only be a surprise to people who’ve learned to use a computer since the middle of March 2018, or who’ve been trapped in their own fridge for the last decade… last Tuesday was Patch Tuesday, there’s a Critical Flash vulnerability and, if you’re still using Flash, it’s time to reexamine your attitude to risk and reward (and while you’re doing that, update to the latest version).
Did I say a critical vulnerability? I meant three.
Adobe Bulletin APSB18-08 lists six security issues fixed in the latest release, version 18.104.22.168, three RCE (Remote Code Execution) vulnerabilities rated critical and three information disclosure vulnerabilities rated Important.
Updates for all platforms have been given a priority of 2, which means that to Adobe’s knowledge there are currently no known exploits and none are expected imminently.
Flash plug-ins for Google Chrome on all platforms, or for Microsoft Edge and Internet Explorer 11 on Windows 10 and 8.1, will update themselves automatically.
Everyone else should download the latest version:
Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows, Macintosh and Linux update to Adobe Flash Player 22.214.171.124 via the update mechanism within the product  or by visiting the Adobe Flash Player Download Center.
The good news is that, in this case, Adobe and the independent researchers who found the holes in its product are one step ahead of the bad guys this month (provided you install the update).
The bad news is that the rate at which critical, remotely exploitable flaws are found – in a product that barely changes – shows no signs of slowing, even after all these years.
So, if you find yourself downloading the latest version, ask yourself what you’re planning to use it for and whether you really need it.
Why? Because cybercriminals love that you run Flash.
Over the years its many remotely exploitable flaws have been a reliable source of joy for them – giving them a bunch of ways to reach through your browser and persuade your computer to run malware.
Millions of users have uninstalled Flash completely, Steve Jobs ensured that iPhone and iPad users have never had it, browsers are burying it as deeply as they can, and even Adobe has called time on it.
Cybercriminals still love it though, and they want you to love it too, or at least tolerate it enough to keep it hanging around because if past performance is indicative of future results – a 0-day is coming.
If you’re determined to keep it, I’ll see you here again in a month.