Have Adobe Flash? Update now against actively-exploited zero-day flaw

Emergency security update released as ransomware attacks launched.

Flash holes

As they promised earlier this week, Adobe has released an emergency security update for Flash Player, protecting against a vulnerability (known as CVE-2016-1019) that is being actively exploited by hackers.

Here’s what Adobe is saying in its latest security bulletin:

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

Sign up to our free newsletter.
Security news, advice, and tips.

Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 10 and earlier with Flash Player version 20.0.0.306 and earlier.

As security firm Proofpoint describes, the CVE-2016-1019 vulnerability in Flash is being exploited by malicious hackers to spread the Cerber ransomware via use of the Magnitude exploit kit.

If none of that makes sense to you, I’ll make it very simple: update Adobe Flash now, or get rid of it altogether.

If you’re not quite ready to take the step of entirely uninstalling Flash, then you should at the very least consider enabling “Click to Play”, which stops Flash elements from being rendered in your browser unless you give specific permission.

And remember, Flash isn’t just a security headache for Windows users. This vulnerability is also present in the Mac OS X, Linux and ChromeOS editions of Flash Player.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

12 comments on “Have Adobe Flash? Update now against actively-exploited zero-day flaw”

  1. Stephane

    I'd like to get rid of Flash completly but what can I do if my old scanner use a Flash interface? (and of course the company wouldn't provide a new interface for this old model). P.S. Stupid answer would be "get rid of your old scanner and buy a new one".

    1. Bob · in reply to Stephane

      You could try using a browser like Google Chrome as it automatically keeps Flash up-to-date. It is also Chrome-specific so the Flash component wouldn't work in other browsers. You'd get security and functionality.

      If you don't trust Adobe Flash (and most experts don't) then you should use Google Chrome exclusively for scanning as that would greatly reduce your potential for compromise.

      In this example you'd use Microsoft Edge / Internet Explorer as your primary browser (without Flash installed on your computer) and then when you want to scan something toggle into Google Chrome (which has Flash built in).

      The other alternative (assuming you don't want to buy a new scanner) is to download a reputable scanning app for your mobile phone. You take a picture of the document and, voila, it's scanned.

  2. Will from Minnesota

    Thanks for the timely post, I love your work!!! So… question… why is this latest flash debacle making my head explode "one more time"… Why… Why… WHY!!?? … Why do we still have our mind-boggling dependence on flash, after sooo many years of hearing that flash is on the way out? I've been using Tenfourfox for some time now to rebelliously persist in using my over-ten-year-old Power PC mac laptop. I've been able to overcome every obstacle, every annoying message over the past few years from various websites, banking, utilities, email, etc. that "your browser is no longer supported," but the one thorn in my side has been going without flash… vimeo, facebook (omg Mark!) youtube… youtube has been the best, as there has been a large proportion of content that via html-5 video (right?) I can still use, but even on youtube I frequently get the "not supported" wienie-slap… boo!… So why, if according to countless tech articles for YEARS now announcing that everything points to a happy transition to a flashless universe, it just won't GO AWAY!!?? (cue mad muttering in the attic noises…)

  3. drsolly

    This happens so often, that I've made a bash script for updating flash, so I don't have to think about it any more.

    Sigh.

    How do companies get away with such egregious insecurity?

  4. JohnC

    I am thoroughly fed up with Flash too. Click to Play helps to manage the risk but I would rather not have Flash installed at all. After all this time you would think they would take the hint and learn how to code securely and security test their products before each release, if only to protect their future business. I use Heimdal free to silently patch this and some other problemware at startup, but a Flash-free PC would be even better.

  5. JUK

    Can anyone tell me if we are supposed to receive a patch for this, through windows update on Windows10 ?, only I've not received updates for this, which I don't quite understand why not
    at this late stage .

    1. Donna · in reply to JUK

      I am confused also…I don't know to uninstall or what to do…:(

      1. Bob · in reply to Donna

        JUK

        you need to manually update Flash if it is installed at all; it won't be pushed out via Windows Update.

        Donna

        Graham's article has a link giving you clear instructions on how to check if you've got Flash installed, whether you need to update it and how to update.

        1. Juk · in reply to Bob

          Bob

          JUK

          you need to manually update Flash if it is installed at all; it won't be pushed out via Windows Update.

          HI Bob, I only have flash that is built into internet Explorer 11 which windows update will often send patches out ,for it, other forums are saying there is still no actual official fix yet from Microsoft.

  6. Liz

    If I uninstall Flash, what takes its place? For instance, I have Flash set to Click To Play and when I am uploading photos to Shutterfly, it asks me to activate Adobe Flash. If I uninstall the Flash player, will that affect uploading?

    1. Bob · in reply to Liz

      In a word: nothing.

      Some sites like YouTube will play the video using HTML5 but other sites, like Shutterfly, won't work at all if Flash is uninstalled.

      https://support.shutterfly.com/app/answers/detail/a_id/1162/~/troubleshooting-flash

      1. Dan Lewis · in reply to Bob

        Bob, you answered another persons question: how does Adobe get away with crap code….? In short, there's not a viable alternative. Pity. I'd like to have one alternative for every adobe product…..

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.