Patch Flash NOW

…or kick it to the kerb.

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Patch flash

This is your semi-regular alert that a critical security vulnerability has been found in Adobe Flash, and it is being actively exploited in in-the-wild attacks.

Yes, I know. I was shocked too… But this time the concern is particularly serious.

Adobe has the skinny in its advisory:

Sign up to our free newsletter.
Security news, advice, and tips.

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address a critical vulnerability that could potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2016-7855 exists in the wild, and is being used in limited, targeted attacks against users running Windows versions 7, 8.1 and 10.

So, if you’re still choosing to use Adobe Flash on your computers you should update to version 23.0.0.205 on Windows and macOS, and to version 11.2.202.643 on Linux, as a matter of priority.

You may also run Flash through its integration into the Chrome, Microsoft Edge or Internet Explorer 11 browsers. These should update automatically, taking some of the burden off you, but there’s nothing like double-checking that everything is shipshape.

On Chrome, enter chrome://components/ in your browser URL bar and you should be able to see the version number for your embedded version of Flash (and a “Check for update” button if you need to manually update).

Flash update chrome

If you’re bold enough to still be using the internet with Flash enabled please enable “Click to Play” at the very least.

But if you want to enter the brave new world of a Flash-less world, here is our guide on how to uninstall it from your computers.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

7 comments on “Patch Flash NOW”

  1. Bob

    This is an incredibly serious vulnerability and exploits are already in the wild.

    Update people ASAP.

    http://www.theregister.co.uk/2016/10/26/adobe_patches_fresh_flash_zeroday/

  2. wally

    Sadly, no matter how much anyone decries Flash, there are just an ocean of major sites that have not gone to HTML5 and show signs of ever doing so.

  3. wally

    sorry, meant 'show NO signs of ever doing so'

  4. Bob

    I agree with you wally, I despise Flash but a lot of sites still use it and if you don't have it on your system then you can't see the content.

    Some sites change to HTML5 (like YouTube) if it detects that you don't have Flash but sadly not all do.

    Personally I don't have Flash installed as a standalone application but as part of Google Chrome and Edge. That way it's automatically updated… at least in theory.

    The current stable version of Google Chrome is 54.0.2840.71 and unfortunately Google have yet to push out the update via the automatic mechanism which means your average user won't be protected. You've got to go through the hidden 'chrome://components/' mechanism to manually update Flash. Unless you're 'IT savvy' and are aware of this latest vulnerability then you won't be protected.

    Microsoft Edge has yet to receive its update :-(

    I also use 'click to play' because it greatly improves your security and stops those pesky pop-ups which automatically run Flash to deliver you a hideous advertisement.

    This vulnerability is under active attack and it is imperative users patch immediately.

    https://threatpost.com/adobe-patches-flash-zero-day-under-attack/121567/

  5. Spryte

    Not worried at all…

    Uninstalled Flash almost as soon as I bought this new computer (I have not had Flash on ***any*** computer for several years).
    When I end up at a site which requires it I simply "Contact" them and tell them I can't use their site due to the fact they want me to use this antiquated and insecure technology. There are ***other sites*** that provide the same services without me having to use Flash.
    I also advise friends, relatives and co-workers not to use it (or at least Click to Play) if they insist on using it.

    1. Bob · in reply to Spryte

      What browser(s) do you use if you don't use Flash at all?

      Almost all browsers use it irrespective of it being installed on your computer – it's normally found lurking in its PPAPI or NPAPI form.

  6. Bob

    If you're using Edge (with built-in Flash) but you *don't* have Flash installed on your system you are now able to update your version of Flash as Microsoft have released an emergency patch… you don't need to wait for patch Tuesday!

    Security Update for Adobe Flash Player for Windows 10 Version 1607 (for x64-based Systems) (KB3194343).

    Go to 'All Settings', 'Update & security' and then 'Windows update'.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.