With 36 security fixes, you should either update Adobe Flash now… or kill it

Adobe has issued an update for its widely-used Flash Player browser plugin, patching a total of 36 different vulnerabilities.

Here is how Adobe has described the updates in its latest security bulletin:

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2016-4171 exists in the wild, and is being used in limited, targeted attacks.

It’s that mention of the zero-day vulnerability being actively exploited which has, of course, garnered most of the attention.

Security researchers discovered that an online gang known as ScarCruft were exploiting the zero-day flaw in March, and privately disclosed details to Adobe so a fix could be produced. In a blog post the researchers say that they believe the ScarCruft gang are exploiting security holes in Adobe Flash and Internet Explorer in malware campaigns they have described as “Operation Daybreak” and “Operation Erebus”.

ScarCruft? Operation Daybreak? Operation Erebus? Who comes up with these names? Oh that’s right, it’s the marketing departments of security firms.

Joking aside, even if a vulnerability has only been spotted being exploited in limited targeted attacks so far, it makes sense for everyone to secure their systems. When details of a flaw become known it is not uncommon for other criminal gangs to take an interest in taking advantage.

Flash has earned itself a poor reputation in recent years, frequently exploited by online criminals as a method to infect the computers of innocent internet users. And although Adobe has hardened the security of the software, and introduced a series of enhancements into its code to mitigate against common types of attacks, it’s a reputation that Adobe Flash Player has failed to shake off.

It’s no wonder then that so many computer users are beginning to question whether they really need Adobe Flash at all, or whether their online activity would be safer if they dumped the software altogether.

Even if you’re not quite ready to take the plunge just yet and remove Adobe Flash Player in its entirety from your computer, you might decide to enable features like “Click to Play” (which allow you to choose when Flash code is rendered by your browser on a particular website) or confine Flash to a separate browser for specific purposes rather than the one you use to regularly access the web.

click-to-play

If you decide that you will persist with Flash rather than dump it in the trash, you must keep it updated on your computers. Most people probably rely upon Adobe’s own automatic updates – but I often find they are slow to recognise that a new version of the software is available, and so I prefer to trigger an update manually.

If you are unsure about whether you are currently running the latest edition of Adobe Flash Player, you can always check on Adobe’s website, and download the most recent version.
.

Just please be sure, if you take this route, that you download Flash Player from the genuine Adobe website. On many occasions we have seen criminals using social engineering tricks to dupe unsuspecting users into installing bogus Adobe updates, which go on to compromise their computers.

Leave a Reply