It’s time to update Flash once again, and don’t forget to reduce the attack surface by enabling “Click to Play”… or uninstall it altogether.
If you’re running Adobe Flash on your Windows, Mac or Linux computer – it’s time, once again, to make sure that you’re running the latest version of the software.
Adobe has issued a security patch for the Flash Player tackling critical security holes that could allow a malicious hacker to gain access to your computer, infect it with malware and steal your data.
Most of the nearly two dozen vulnerabilities patched in Adobe’s latest update could be exploited to execute malicious code on victims’ computers, and relate to buffer overflow flaws, memory corruption and stack corruption.
Windows and Mac users are advised to update at the earliest opportunity to Flash Player 18.104.22.168. If you’re using Unix, ensure that you have updated to version 22.214.171.1241. You can verify which version of Adobe Flash you are currently running by visiting this page on Adobe’s website.
Of course, another option is to completely uninstall Flash from your computer. Although that’s a decision that more people are beginning to make, and has fans such as Facebook’s security chief who has called for Flash to be killed off entirely because of its long history of security issues, it’s a step that I suspect that the majority of computer users aren’t quite ready for.
Instead, I would suggest that Adobe Flash users consider enabling “Click to Play” in their browser.
With “Click to Play” enabled, your browser won’t render potentially malicious Flash content unless and until you give it specific permission. In other words, a maliciously coded Flash file won’t run unless you give it permission, rather than automatically executing when you visit a webpage.
Adobe says that its unaware of any in-the-wild exploitation of the security vulnerabilities patched in this latest update, but it doesn’t make sense to rest on your laurels and take no action. In the past, malicious hackers have used recently-issued security patches as a blueprint to help them identify flaws and develop methods to take advantage of them on unprotected computers.
There is, sadly, one piece of particularly bad news.
As security blogger Brian Krebs reports, Adobe continues to distribute versions of its Shockwave Player with a worryingly out-of-date version of Adobe Flash:
The version of Shockwave released just two weeks ago bundles the Flash runtime 126.96.36.1995, a version of Flash that Adobe released in February 2015.
Translation: The version of Shockwave that Adobe released two weeks ago lacks fixes for a whopping 155 vulnerabilities in Flash that can be used to backdoor virtually any computer running it! Included in those missing fixes are patches for a half-dozen Flash flaws that were being actively exploited at the time they were fixed in Flash Player.
As very few sites still require Shockwave Player these days, it would seem sensible to me for most internet users to uninstall the software as soon as practically possible.