Flash – aaah-aarrgh! Patch now as hackers exploit fresh holes

Flash, I love you, but we only have fourteen hours to save everyone's computers


Adobe has urged users to patch their Windows, OS X and Linux editions of Flash Player to address 23 security vulnerabilities, including one that is actively being targeted in the wild.

The March update includes a number of fixes for vulnerabilities that could, if exploited, allow an attacker to remotely execute code on a targeted system simply by loading a malformed Flash file. In other words, visiting a booby-trapped webpage, or viewing a Flash ad, could inject malware into your computer.

One of those flaws, CVE-2016-1010, is being used for what Adobe calls "limited, targeted attacks."

Users running Flash Player 20.0.0.306 and earlier for Windows, OS X and Linux should look to update the software.

Flash Player for Linux 11.2.202.569 and earlier and Adobe AIR Desktop Runtime and AIR SDK 20.0.0.260 as well as AIR for Android 20.0.0.233 and earlier should also be updated if possible. You can check your installed version here.

Users who have activated the "Allow Adobe to install updates" option on Flash Player for Windows and OS X should receive the update automatically. Google's Chrome browser installs Flash updates automatically, too.

According to Adobe, the patched flaws, all of which could allow remote code execution, include three integer overflow vulnerabilities (one of those is CVE-2016-1010). Eleven of the flaws are use-after-free errors, and one is a heap overflow bug. The remaining eight exploitable programming blunders are memory corruption vulnerabilities.

Adobe has posted a full list of the CVE numbers as well as discovery credits for each of the vulnerabilities on its help site.

Adobe gave word of the Flash Player update earlier this week when it posted a scheduled security update for Adobe Acrobat and Reader to address a total of four vulnerabilities. That same day, Microsoft posted its monthly patch load for Windows, Office, Internet Explorer and Edge.

As always, going into you browser's settings and enabling click-to-play for Flash is recommended as it will stop malicious Flash files from automatically firing up as soon as you load a page. ®


Keep Reading

Flash haters, rejoice! Microsoft releases tool to let you nuke Adobe's security horror before support ends

Why not get in early before official 31 December demise?

Was that November's Patch Tuesday? Already? Oh, no, it's just Adobe issuing 14 emergency security fixes

Critical Acrobat, Reader flaws evidently couldn't wait until next week

Patch Tuesday brings bug fixes for OpenSSL, IBM, SAP, Kubernetes, Adobe, and Red Hat. And Microsoft, of course

Patch Tuesday Light load from Redmond as everyone else seeks to bury bad news, sorry, align in update cadence

Microsoft emits 83 security fixes – and miscreants are already exploiting one of the vulns in Windows Defender

Patch Tuesday Redmond keeps us hanging with on-premises Exchange flaw still to be fixed

Microsoft emits 112 security hole fixes – including the cure for a Google-disclosed kernel vuln exploited in the wild

Patch Tuesday Android, Adobe, SAP, Red Hat join the bug-busting party

Dear Adobe, Trend Micro users: Please vaccinate your software – at least some of these security holes were exploited in the wild

Genuine Integrity doesn't exactly live up to its name

Photostopped: Adobe Cloud evaporates in mass outage. Hope none of you are on a deadline, eh?

More than dozen services down, customers left unable to work

That's it. It's over. It's really over. From today, Adobe Flash Player no longer works. We're free. We can just leave

Post-Flashpocalypse, we stumble outside, hoping no one ever creates software as insecure as that ever again

Biting the hand that feeds IT © 1998–2021