Flash zero-day in the wild to be fixed by Adobe

Flash zero-day in the wild to be fixed by Adobe

Keep your eye out for this month’s Update Tuesday patch for Adobe Flash.

Adobe has given advance warning that the soon-to-ship update, due later today, fixes a vulnerability that is already being exploited in the wild.

The bug allows an attacker to send booby-trapped content to your browser’s Flash plugin in such a way that your browser will not only crash, but also hand over control to the attacker in the process.

The technical name for that sort of exploit is RCE, short for Remote Code Execution, also known as a drive-by download or a drive-by install, so called because you only need to look at a booby-trapped page to get infected.

There’s no need to take any additional action such as clicking [OK] on a download dialog, or clicking [Ignore] on a security pop-up: drive-by malware infections generally happen, well, in a flash.

Fortunately, Adobe hasn’t had to rush out an extra, unscheduled fix in advance of today’s planned update. (Last month, an emergency zero-day fix came out just two days after Update Tuesday when a new exploit turned up in the wild.)

Apparently, the only currently-known exploit against the bug, designated CVE-2016-1019, is mitigated by some proactive exploit protection techniques programmed into the last-but-one Flash update (version 21.0.0.182).

In other words, even though the buggy code is present right up to the current version (21.0.0.197), both the current and previous versions have enough “defence in depth” to limit the danger of the exploit.

According to Adobe, the recent in-the-wild attacks are only targeting Windows, so OS X and Linux users get off with just a warning.

What to do?

When we write about Flash updates these days, or discuss them in our weekly Chet Chat podcast, we usually recommend trying an experiment: see if you can live without Flash in your browser altogether.

You can either uninstall Flash altogether, or turn it off in browsers where Flash comes built-in, such as Microsoft Edge,

We almost always provoke two sorts of response.

One response comes from people who express surprise that anyone still bothers with Flash at all, because they’ve done without it for years and can’t see what all the fuss is about.

The other reponse comes from people who say that many of their regular online haunts still need Flash, and who express surprise that anyone would seriously consider getting rid of it.

If you do need to keep it, make sure you keep it up to date, and use your browser’s click-to-play feature (also known as ask to activate) so that Flash content doesn’t run without you realising, especially on sites you’ve never visited before.

byPaul Ducklin from Sophos

 Hello! 

CEO, Author of the #1 Risk to Small Businesses

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}
A note to our visitors

This website has updated its privacy policy in compliance with changes to European Union data protection law, for all members globally. We’ve also updated our Privacy Policy to give you more information about your rights and responsibilities with respect to your privacy and personal information. Please read this to review the updates about which cookies we use and what information we collect on our site. By continuing to use this site, you are agreeing to our updated privacy policy.