Critical Flash Vulnerability: All Versions prior to 28.0.0.161 are vulnerable
Adobe has not seen this critical Flash vulnerability exploited in the wild yet
A critical vulnerability in Adobe Flash has been discovered. All versions prior to 28.0.0.161 include a critical Flash vulnerability that could allow attackers to sneak malware on to your computer.
Granted, this kind of news hardly qualifies as surprising anymore, but don’t let security fatigue – or the fact that Adobe classifies this as a Priory 2 Update, which means the vulnerability hasn’t been exploited in the wild – dissuade you from updating. And fast.
Affected Product Versions
Per Adobe’s security bulletin, here are the affected product versions:
Product | Version | Platform |
Adobe Flash Player Desktop Runtime | 28.0.0.161 and earlier | Windows, Mac |
Adobe Flash Player for Google Chrome | 28.0.0.161 and earlier | Windows, Mac, Linux, Chrome OS |
Adobe Flash Player for Microsoft Edge and IE 11 | 28.0.0.161 and earlier | Windows 8.1 & 10 |
Adobe Flash Player Desktop Runtime | 28.0.0.161 and earlier | Linux |
Here’s how Flash Vulnerability can be used against You
Adobe is quick to warn that the successful exploitation of these vulnerabilities could lead to what is called “arbitrary code execution.” Basically, this is a Remote Execution Flaw that allows an attacker to force your computer into running code. Code typically meaning malware.
With a critical flash vulnerability like this one, all it takes to spell disaster is landing on the wrong web page. That’s because just landing on an infected site is as good as downloading a proper virus and then clicking through any warnings to start running it on your machine.
And again, cybercriminals are pretty prolific. We discussed how at the end of last year over 1.4 million phishing websites were being created per month, well the number of websites that gets compromised in that same span is even greater. These hackers try to cast the widest net possible and then seek to ensnare as many internet users as possible in it.
And Flash is the perfect complement given that it’s widely used and easily exploitable.
How easily exploitable is Flash? How often does this happen?
Without trying to be too critical of Adobe, this does seem to happen quite a bit.
The most recent issue was reported on February 1, 2018. And this one was exploited in the wild.
Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.
On October 16, 2017, Adobe dealt with a zero-day in the wild. A zero-day exploit is an attack that exploits a previously unknown security vulnerability.
Adobe is aware of a report that an exploit for CVE-2017-11292 exists in the wild, and is being used in limited, targeted attacks against users running Windows.
Then in 2016, Adobe dealt with four zero days.
Adobe is aware of a report that an exploit for CVE-2016-4171 exists in the wild, and is being used in limited, targeted attacks. Adobe will address this vulnerability in our monthly security update, which will be available as early as June 16. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.
Adobe is aware of a report that an exploit for CVE-2016-4117 exists in the wild. Adobe will address this vulnerability in our monthly security update, which will be available as early as May 12. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.
Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 10 and earlier with Flash Player version 20.0.0.306 and earlier. Please refer to APSA16-01 for details.
Adobe is aware of a report that an exploit for CVE-2016-1010 is being used in limited, targeted attacks.
And that’s just the last couple years. In 2015, Adobe had to deal with four zero days in the span of three weeks.
And this is just a list of the critical flash vulnerabilities.
Updating Critical Flash Vulnerabilities
The good news for Google Chrome users is that they can expect to get the fix in an automatic update. This will also be the case for Windows users of Microsoft Edge and Internet Explorer 11 on both Windows 8.1 and Windows 10.
For the rest of us, here’s Adobe’s advice:
Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows, Macintosh and Linux update to Adobe Flash Player 29.0.0.113 via the update mechanism within the product or by visiting the Adobe Flash Player Download Center.
For what it’s worth, Adobe plans to sunset Flash in 2020. But that means cybercriminals still have a couple more years to mess with you.
Maybe the best way to stay secure when using Flash is just not to use it in the first place.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown