Patch Flash NOW

…or kick it to the kerb.

Patch flash

This is your semi-regular alert that a critical security vulnerability has been found in Adobe Flash, and it is being actively exploited in in-the-wild attacks.

Yes, I know. I was shocked too... But this time the concern is particularly serious.

Adobe has the skinny in its advisory:

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address a critical vulnerability that could potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2016-7855 exists in the wild, and is being used in limited, targeted attacks against users running Windows versions 7, 8.1 and 10.

So, if you're still choosing to use Adobe Flash on your computers you should update to version 23.0.0.205 on Windows and macOS, and to version 11.2.202.643 on Linux, as a matter of priority.

You may also run Flash through its integration into the Chrome, Microsoft Edge or Internet Explorer 11 browsers. These should update automatically, taking some of the burden off you, but there's nothing like double-checking that everything is shipshape.

On Chrome, enter chrome://components/ in your browser URL bar and you should be able to see the version number for your embedded version of Flash (and a "Check for update" button if you need to manually update).

Flash update chrome

If you're bold enough to still be using the internet with Flash enabled please enable "Click to Play" at the very least.

But if you want to enter the brave new world of a Flash-less world, here is our guide on how to uninstall it from your computers.

Tags: , , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , ,

7 Responses

  1. Bob

    October 27, 2016 at 12:38 am #

    This is an incredibly serious vulnerability and exploits are already in the wild.

    Update people ASAP.

    http://www.theregister.co.uk/2016/10/26/adobe_patches_fresh_flash_zeroday/

  2. wally

    October 27, 2016 at 1:15 am #

    Sadly, no matter how much anyone decries Flash, there are just an ocean of major sites that have not gone to HTML5 and show signs of ever doing so.

  3. wally

    October 27, 2016 at 1:17 am #

    sorry, meant 'show NO signs of ever doing so'

  4. Bob

    October 27, 2016 at 11:10 am #

    I agree with you wally, I despise Flash but a lot of sites still use it and if you don't have it on your system then you can't see the content.

    Some sites change to HTML5 (like YouTube) if it detects that you don't have Flash but sadly not all do.

    Personally I don't have Flash installed as a standalone application but as part of Google Chrome and Edge. That way it's automatically updated… at least in theory.

    The current stable version of Google Chrome is 54.0.2840.71 and unfortunately Google have yet to push out the update via the automatic mechanism which means your average user won't be protected. You've got to go through the hidden 'chrome://components/' mechanism to manually update Flash. Unless you're 'IT savvy' and are aware of this latest vulnerability then you won't be protected.

    Microsoft Edge has yet to receive its update :-(

    I also use 'click to play' because it greatly improves your security and stops those pesky pop-ups which automatically run Flash to deliver you a hideous advertisement.

    This vulnerability is under active attack and it is imperative users patch immediately.

    https://threatpost.com/adobe-patches-flash-zero-day-under-attack/121567/

  5. Spryte

    October 27, 2016 at 4:22 pm #

    Not worried at all…

    Uninstalled Flash almost as soon as I bought this new computer (I have not had Flash on ***any*** computer for several years).
    When I end up at a site which requires it I simply "Contact" them and tell them I can't use their site due to the fact they want me to use this antiquated and insecure technology. There are ***other sites*** that provide the same services without me having to use Flash.
    I also advise friends, relatives and co-workers not to use it (or at least Click to Play) if they insist on using it.

    • Bob in reply to Spryte.

      October 27, 2016 at 5:34 pm #

      What browser(s) do you use if you don't use Flash at all?

      Almost all browsers use it irrespective of it being installed on your computer – it's normally found lurking in its PPAPI or NPAPI form.

  6. Bob

    October 27, 2016 at 10:48 pm #

    If you're using Edge (with built-in Flash) but you *don't* have Flash installed on your system you are now able to update your version of Flash as Microsoft have released an emergency patch… you don't need to wait for patch Tuesday!

    Security Update for Adobe Flash Player for Windows 10 Version 1607 (for x64-based Systems) (KB3194343).

    Go to 'All Settings', 'Update & security' and then 'Windows update'.

Leave a Reply