This one, like last month’s, fixes not only a bunch of holes that crooks would almost certainly try to use if they knew about them, but also a vulnerability that’s already being exploited in the wild for criminal purposes.
That sort of active exploit is known as an 0-day, or zero-day.
The name comes from the early days of computer game piracy: a zero-day crack came out on the very same day as the official release, so that people who wanted to steal the game had zero days to wait compared to those who were prepared to pay for it.
Pirates competed to see who could produce the quickest crack, often for nothing more than bragging rights.
In modern-day cybercrime, the name is applied to an exploit that comes out before an offical patch is ready, so that even well-informed system administrators have zero days during which they could have been patched.
These days, 0-days that work reliably are usually kept as quiet as possible by the crooks.
Bragging simply draws attention to the bug and therefore reduces the amount of money the criminals can squeeze out of unprotected victims before the patch arrives.
That makes updates that fix 0-days more urgent than usual: you’re not patching to get ahead of where the crooks might soon be, but to get ahead of where they already are.
The updated Flash versions are:
- Flash 18.104.22.168 for Windows and OS X.
- Extended Support Release 22.214.171.124321 for Windows and OS X.
- Flash 126.96.36.1996 for Linux.
To avoid massive spikes in network demand when updates appear, many products introduce random waiting times for automatic updates,
This helps spread the load and reduces the amount of time wasted by failed updates and network congestion. (The update may reach you slightly later, but will reach everybody sooner.)
However, you can trigger a manual update check via the Flash control panel or preferences pane if you like.
Even if you are up-to-date, it’s nice to make sure.