Critical Flash Vulnerability: All Versions prior to 28.0.0.161 are vulnerable
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Critical Flash Vulnerability: All Versions prior to 28.0.0.161 are vulnerable

Adobe has not seen this critical Flash vulnerability exploited in the wild yet

A critical vulnerability in Adobe Flash has been discovered. All versions prior to 28.0.0.161 include a critical Flash vulnerability that could allow attackers to sneak malware on to your computer.

Granted, this kind of news hardly qualifies as surprising anymore, but don’t let security fatigue – or the fact that Adobe classifies this as a Priory 2 Update, which means the vulnerability hasn’t been exploited in the wild – dissuade you from updating. And fast.

Affected Product Versions

Per Adobe’s security bulletin, here are the affected product versions:

Product Version Platform
Adobe Flash Player Desktop Runtime 28.0.0.161 and earlier Windows, Mac
Adobe Flash Player for Google Chrome 28.0.0.161 and earlier Windows, Mac, Linux, Chrome OS
Adobe Flash Player for Microsoft Edge and IE 11 28.0.0.161 and earlier Windows 8.1 & 10
Adobe Flash Player Desktop Runtime 28.0.0.161 and earlier Linux

Here’s how Flash Vulnerability can be used against You

Adobe is quick to warn that the successful exploitation of these vulnerabilities could lead to what is called “arbitrary code execution.” Basically, this is a Remote Execution Flaw that allows an attacker to force your computer into running code. Code typically meaning malware.

With a critical flash vulnerability like this one, all it takes to spell disaster is landing on the wrong web page. That’s because just landing on an infected site is as good as downloading a proper virus and then clicking through any warnings to start running it on your machine.

And again, cybercriminals are pretty prolific. We discussed how at the end of last year over 1.4 million phishing websites were being created per month, well the number of websites that gets compromised in that same span is even greater. These hackers try to cast the widest net possible and then seek to ensnare as many internet users as possible in it.

And Flash is the perfect complement given that it’s widely used and easily exploitable.

How easily exploitable is Flash? How often does this happen?

Without trying to be too critical of Adobe, this does seem to happen quite a bit.

The most recent issue was reported on February 1, 2018. And this one was exploited in the wild.

Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.

On October 16, 2017, Adobe dealt with a zero-day in the wild. A zero-day exploit is an attack that exploits a previously unknown security vulnerability.

Adobe is aware of a report that an exploit for CVE-2017-11292 exists in the wild, and is being used in limited, targeted attacks against users running Windows.

Then in 2016, Adobe dealt with four zero days.

June 14

Adobe is aware of a report that an exploit for CVE-2016-4171 exists in the wild, and is being used in limited, targeted attacks. Adobe will address this vulnerability in our monthly security update, which will be available as early as June 16. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.

May 12

Adobe is aware of a report that an exploit for CVE-2016-4117 exists in the wild.  Adobe will address this vulnerability in our monthly security update, which will be available as early as May 12. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.

April 7

Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 10 and earlier with Flash Player version 20.0.0.306 and earlier.  Please refer to APSA16-01 for details.

March 10

Adobe is aware of a report that an exploit for CVE-2016-1010 is being used in limited, targeted attacks.

And that’s just the last couple years. In 2015, Adobe had to deal with four zero days in the span of three weeks.

And this is just a list of the critical flash vulnerabilities.

Updating Critical Flash Vulnerabilities

The good news for Google Chrome users is that they can expect to get the fix in an automatic update. This will also be the case for Windows users of Microsoft Edge and Internet Explorer 11 on both Windows 8.1 and Windows 10.

For the rest of us, here’s Adobe’s advice:

Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows, Macintosh and Linux update to Adobe Flash Player 29.0.0.113 via the update mechanism within the product or by visiting the Adobe Flash Player Download Center.

For what it’s worth, Adobe plans to sunset Flash in 2020. But that means cybercriminals still have a couple more years to mess with you.

Maybe the best way to stay secure when using Flash is just not to use it in the first place.

Author

Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.