Industry News

With 36 security fixes, you should either update Adobe Flash now… or kill it

Image credit: adobe.com

Adobe has issued an update for its widely-used Flash Player browser plugin, patching a total of 36 different vulnerabilities.

Here is how Adobe has described the updates in its latest security bulletin:

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2016-4171 exists in the wild, and is being used in limited, targeted attacks.

It’s that mention of the zero-day vulnerability being actively exploited which has, of course, garnered most of the attention.

Security researchers discovered that an online gang known as ScarCruft were exploiting the zero-day flaw in March, and privately disclosed details to Adobe so a fix could be produced. The ScarCruft gang seems to be exploiting security holes in Adobe Flash and Internet Explorer in malware campaigns they have described as “Operation Daybreak” and “Operation Erebus”.

ScarCruft? Operation Daybreak? Operation Erebus? Who comes up with these names? Oh that’s right, it’s the marketing departments of security firms.

Joking aside, even if a vulnerability has only been spotted being exploited in limited targeted attacks so far, it makes sense for everyone to secure their systems. When details of a flaw become known it is not uncommon for other criminal gangs to take an interest in taking advantage.

Flash has earned itself a poor reputation in recent years, frequently exploited by online criminals as a method to infect the computers of innocent internet users. And although Adobe has hardened the security of the software, and introduced a series of enhancements into its code to mitigate against common types of attacks, it’s a reputation that Adobe Flash Player has failed to shake off.

It’s no wonder then that so many computer users are beginning to question whether they really need Adobe Flash at all, or whether their online activity would be safer if they dumped the software altogether.

Even if you’re not quite ready to take the plunge just yet and remove Adobe Flash Player in its entirety from your computer, you might decide to enable features like “Click to Play” (which allow you to choose when Flash code is rendered by your browser on a particular website) or confine Flash to a separate browser for specific purposes rather than the one you use to regularly access the web.

click-to-play

If you decide that you will persist with Flash rather than dump it in the trash, you must keep it updated on your computers. Most people probably rely upon Adobe’s own automatic updates – but I often find they are slow to recognize that a new version of the software is available, and so I prefer to trigger an update manually.

If you are unsure about whether you are currently running the latest edition of Adobe Flash Player, you can always check on Adobe’s website, and download the most recent version.

Just please be sure, if you take this route, that you download Flash Player from the genuine Adobe website. On many occasions we have seen criminals using social engineering tricks to dupe unsuspecting users into installing bogus Adobe updates, which go on to compromise their computers.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

2 Comments

Click here to post a comment

  • I recommend uninstalling Flash if you can. If you can’t do without it, we recommend turning it off whenever you don’t need it.

    In fact, we need it so occasionally that we download it every time we need it, install it, use it, then uninstall it altogether and delete it. That way, we can’t leave it on by accident, and we make sure we’ve got the latest version every time we need it.

    That’s a mild annoyance, to be sure, but it helps us remember why we didn’t want Flash in the first place.