Adobe Flash zero-day patch is out…for the third month in a row

At the risk of sounding like a gramophone record that is stuck in a groove…

…for the third month in a row, Adobe has pushed out a Flash update that patches a zero-day hole.

A zero-day is a bug that the crooks start using before a patch is available, thus giving even the most zealous and patch-happy sysadmin zero days to get ahead of the game.

Adobe warned of the problem in security advisory APSA16-02, issued earlier this week, announcing that it hoped to get a fix ready “as early as May 12.”

The company hit that target, announcing the latest Flash update in APSB16-15, issued today.

25 bugs fixed

Mind you, don’t grab this update just because of the zero-day.

Adobe patched 25 security bugs in all, divided into six different categories of flaw, including various sorts of buffer overflow and memory mismanagement.

All of them are listed as “could lead to code execution,” meaning that a well-informed crook could run malware on your computer without warning by sending your browser a booby-trapped Flash file.

As mentioned above, one bug – denoted CVE-2016-4117 – not only could be used to fire up malware, but already is being used.

Understandably, details about exactly where this exploitable hole has been deployed, and how, has not yet been disclosed.

Anyway, even if we could give you a malware name to look out for right now, the crooks could change their attack with a moment’s notice.

Most Flash attacks don’t embed the final malware in their booby-trapped Flash files; instead, they embed a small downloader component that goes out online to fetch the real deal.

That means you can’t tell what malware you’re going to get until the last moment, and it means the crooks can vary the payload to suit themselves, based on a variety of factors such as where you are, what operating system you are running, what other apps you have installed, and so on.

Ironically, that’s very similar to how Flash handles its own updates: the Flash updater downloads an installer, and just when you’re delighted how small and fast the update was, the installer goes back online and downloads the actual update.

What to do?

As regular readers will know, we recommend uninstalling Flash if you can.

If you can’t do without it, we recommend turning it off whenever you don’t need it.

In fact, we need it so occasionally that we download it every time we need it, install it, use it, then uninstall it altogether and delete it.

That way, we can’t leave it on by accident, and we make sure we’ve got the latest version every time we need it.

That’s a mild annoyance, to be sure, but it helps us remember why we didn’t want Flash in the first place.

Adobe lists its updated version numbers as: Flash 21.0.0.242 for Windows and OS X, and Extended Support Release 18.0.0.352 for Windows and OS X. Confusingly, and presumably incorrectly, Flash 11.2.202.616 is listed as both the “affected version” and the “updated version” for Linux. (Update. Now fixed by Adobe to give 11.2.202.621 as the updated version [2016-05-12T17:40Z].)

Follow @NakedSecurity

Follow @duckblog

 Hello! 

CEO, Author of the #1 Risk to Small Businesses

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}
A note to our visitors

This website has updated its privacy policy in compliance with changes to European Union data protection law, for all members globally. We’ve also updated our Privacy Policy to give you more information about your rights and responsibilities with respect to your privacy and personal information. Please read this to review the updates about which cookies we use and what information we collect on our site. By continuing to use this site, you are agreeing to our updated privacy policy.