Have Adobe Flash? Update now against actively-exploited zero-day flaw

Emergency security update released as ransomware attacks launched.

Flash holes

As they promised earlier this week, Adobe has released an emergency security update for Flash Player, protecting against a vulnerability (known as CVE-2016-1019) that is being actively exploited by hackers.

Here's what Adobe is saying in its latest security bulletin:

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 10 and earlier with Flash Player version 20.0.0.306 and earlier.

As security firm Proofpoint describes, the CVE-2016-1019 vulnerability in Flash is being exploited by malicious hackers to spread the Cerber ransomware via use of the Magnitude exploit kit.

If none of that makes sense to you, I'll make it very simple: update Adobe Flash now, or get rid of it altogether.

If you're not quite ready to take the step of entirely uninstalling Flash, then you should at the very least consider enabling "Click to Play", which stops Flash elements from being rendered in your browser unless you give specific permission.

And remember, Flash isn't just a security headache for Windows users. This vulnerability is also present in the Mac OS X, Linux and ChromeOS editions of Flash Player.

Tags: , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , ,

12 Responses

  1. Stephane

    April 8, 2016 at 2:29 pm #

    I'd like to get rid of Flash completly but what can I do if my old scanner use a Flash interface? (and of course the company wouldn't provide a new interface for this old model). P.S. Stupid answer would be "get rid of your old scanner and buy a new one".

    • Bob in reply to Stephane.

      April 8, 2016 at 8:07 pm #

      You could try using a browser like Google Chrome as it automatically keeps Flash up-to-date. It is also Chrome-specific so the Flash component wouldn't work in other browsers. You'd get security and functionality.

      If you don't trust Adobe Flash (and most experts don't) then you should use Google Chrome exclusively for scanning as that would greatly reduce your potential for compromise.

      In this example you'd use Microsoft Edge / Internet Explorer as your primary browser (without Flash installed on your computer) and then when you want to scan something toggle into Google Chrome (which has Flash built in).

      The other alternative (assuming you don't want to buy a new scanner) is to download a reputable scanning app for your mobile phone. You take a picture of the document and, voila, it's scanned.

  2. Will from Minnesota

    April 8, 2016 at 7:54 pm #

    Thanks for the timely post, I love your work!!! So… question… why is this latest flash debacle making my head explode "one more time"… Why… Why… WHY!!?? … Why do we still have our mind-boggling dependence on flash, after sooo many years of hearing that flash is on the way out? I've been using Tenfourfox for some time now to rebelliously persist in using my over-ten-year-old Power PC mac laptop. I've been able to overcome every obstacle, every annoying message over the past few years from various websites, banking, utilities, email, etc. that "your browser is no longer supported," but the one thorn in my side has been going without flash… vimeo, facebook (omg Mark!) youtube… youtube has been the best, as there has been a large proportion of content that via html-5 video (right?) I can still use, but even on youtube I frequently get the "not supported" wienie-slap… boo!… So why, if according to countless tech articles for YEARS now announcing that everything points to a happy transition to a flashless universe, it just won't GO AWAY!!?? (cue mad muttering in the attic noises…)

  3. drsolly

    April 9, 2016 at 11:37 am #

    This happens so often, that I've made a bash script for updating flash, so I don't have to think about it any more.

    Sigh.

    How do companies get away with such egregious insecurity?

  4. JohnC

    April 9, 2016 at 12:30 pm #

    I am thoroughly fed up with Flash too. Click to Play helps to manage the risk but I would rather not have Flash installed at all. After all this time you would think they would take the hint and learn how to code securely and security test their products before each release, if only to protect their future business. I use Heimdal free to silently patch this and some other problemware at startup, but a Flash-free PC would be even better.

  5. JUK

    April 10, 2016 at 1:46 am #

    Can anyone tell me if we are supposed to receive a patch for this, through windows update on Windows10 ?, only I've not received updates for this, which I don't quite understand why not
    at this late stage .

    • Donna in reply to JUK.

      April 10, 2016 at 2:58 am #

      I am confused also…I don't know to uninstall or what to do…:(

      • Bob in reply to Donna.

        April 10, 2016 at 9:54 pm #

        JUK

        you need to manually update Flash if it is installed at all; it won't be pushed out via Windows Update.

        Donna

        Graham's article has a link giving you clear instructions on how to check if you've got Flash installed, whether you need to update it and how to update.

        • Juk in reply to Bob.

          April 12, 2016 at 12:35 am #

          Bob

          JUK

          you need to manually update Flash if it is installed at all; it won't be pushed out via Windows Update.

          HI Bob, I only have flash that is built into internet Explorer 11 which windows update will often send patches out ,for it, other forums are saying there is still no actual official fix yet from Microsoft.

  6. Liz

    April 10, 2016 at 2:12 pm #

    If I uninstall Flash, what takes its place? For instance, I have Flash set to Click To Play and when I am uploading photos to Shutterfly, it asks me to activate Adobe Flash. If I uninstall the Flash player, will that affect uploading?

    • Bob in reply to Liz.

      April 10, 2016 at 9:57 pm #

      In a word: nothing.

      Some sites like YouTube will play the video using HTML5 but other sites, like Shutterfly, won't work at all if Flash is uninstalled.

      https://support.shutterfly.com/app/answers/detail/a_id/1162/~/troubleshooting-flash

      • Dan Lewis in reply to Bob.

        May 16, 2016 at 8:04 pm #

        Bob, you answered another persons question: how does Adobe get away with crap code….? In short, there's not a viable alternative. Pity. I'd like to have one alternative for every adobe product…..

Leave a Reply