At the risk of sounding like a gramophone record that is stuck in a groove…
…for the third month in a row, Adobe has pushed out a Flash update that patches a zero-day hole.
A zero-day is a bug that the crooks start using before a patch is available, thus giving even the most zealous and patch-happy sysadmin zero days to get ahead of the game.
Adobe warned of the problem in security advisory APSA16-02, issued earlier this week, announcing that it hoped to get a fix ready “as early as May 12.”
The company hit that target, announcing the latest Flash update in APSB16-15, issued today.
25 bugs fixed
Mind you, don’t grab this update just because of the zero-day.
Adobe patched 25 security bugs in all, divided into six different categories of flaw, including various sorts of buffer overflow and memory mismanagement.
All of them are listed as “could lead to code execution,” meaning that a well-informed crook could run malware on your computer without warning by sending your browser a booby-trapped Flash file.
As mentioned above, one bug – denoted CVE-2016-4117 – not only could be used to fire up malware, but already is being used.
Understandably, details about exactly where this exploitable hole has been deployed, and how, has not yet been disclosed.
Anyway, even if we could give you a malware name to look out for right now, the crooks could change their attack with a moment’s notice.
Most Flash attacks don’t embed the final malware in their booby-trapped Flash files; instead, they embed a small downloader component that goes out online to fetch the real deal.
That means you can’t tell what malware you’re going to get until the last moment, and it means the crooks can vary the payload to suit themselves, based on a variety of factors such as where you are, what operating system you are running, what other apps you have installed, and so on.
Ironically, that’s very similar to how Flash handles its own updates: the Flash updater downloads an installer, and just when you’re delighted how small and fast the update was, the installer goes back online and downloads the actual update.
What to do?
As regular readers will know, we recommend uninstalling Flash if you can.
If you can’t do without it, we recommend turning it off whenever you don’t need it.
In fact, we need it so occasionally that we download it every time we need it, install it, use it, then uninstall it altogether and delete it.
That way, we can’t leave it on by accident, and we make sure we’ve got the latest version every time we need it.
That’s a mild annoyance, to be sure, but it helps us remember why we didn’t want Flash in the first place.
Adobe lists its updated version numbers as: Flash 184.108.40.206 for Windows and OS X, and Extended Support Release 220.127.116.112 for Windows and OS X. Confusingly, and presumably incorrectly, Flash 18.104.22.1686 is listed as both the “affected version” and the “updated version” for Linux. (Update. Now fixed by Adobe to give 22.214.171.1241 as the updated version [2016-05-12T17:40Z].)