Industry News

Update Flash now – targeted attacks exploiting security holes

Image credit:

Windows, Mac and Linux users are being urged to update their installations of Adobe Flash, after the company pushed out a security patch addressing 23 reported vulnerabilities in the software.

Amongst the critical vulnerabilities reportedly fixed by Adobe are security flaws that could allow a hacker to gain complete control over victims’ computers, and one of the vulnerabilities (CVE-2016-1010) is said to be being actively exploited in “limited, targeted attacks.”

If you use Google Chrome, Internet Explorer or Edge as your web browser then its Chrome component should be updated automatically.  Nonetheless, I would still recommend you ensure that any other installation of Flash you have on your computer is also patched – as web browsers are not the only vector through which we see Flash-based malware being spread by attackers.

Some people, of course, are fed up with the regular exploitation of Adobe Flash and have chosen to remove it entirely from their computers.  That’s a stance I’m sympathetic with, but it’s not one that will work for everyone.

As a result, I generally recommend that users enable Click-to-Play instead, and stop Flash elements from being rendered in their browsers until they have given explicit permission for them to run.

In this way you can reduce the chances of malicious Flash code running on your computer, or being exposed to risks such as Flash-based malvertising.

For most people who have chosen to keep Flash on their computers, my additional recommendation is that you instruct the Adobe software to automatically receive updates.  If you are worried that your computer is taking too long to notice there is an update available, then you may wish to visit the Adobe Flash Player Download Center.

You can check which version of Flash you have installed on your computer by visiting this page on Adobe’s website.

Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh update to or later.  If you are running Flash Player on Linux, the version you should be running is or later.

It also makes sense for users of Adobe’s AIR desktop runtime and AIR SDK to also update to the latest version.

Sadly, Adobe products have a long history of being abused by online criminals who have found it all too easy to find exploitable vulnerabilities in the company’s code.  That, combined with the widespread use of the software, has made it a successful vector for malicious hackers interested in compromising systems.

Despite Adobe’s best efforts, there’s no sign that the discovery of security holes in its software is going to come to an end anytime soon.  Keep your wits about you and, essentially, if you’re going to use Adobe products keep them up-to-date.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.