June 16, 2016

Adobe issues a patch for a zero-day exploit in Flash 21.0.0.242

June 16, 2016

Updated with new version numbers

Adobe has released a patch for a zero day exploit targeting Flash Player versions 21.0.0.242 and under. The patched version, 22.0.0.192, first announced on June 14, was released on June 16, 2016. The Adobe security advisory, rated critical, is here. This version patches a total of 36 new vulnerabilities, as listed in this security bulletin.

The active zero-day exploit affects Flash versions 21.0.0.242 and earlier. It was detected in the wild in targeted attacks by Kaspersky Labs. The technical details are in this blog post.

Many zero day exploits in Flash Player start life in very targeted attacks aimed at high value targets. After word gets out, these attacks are included in general purpose exploit kits, where everybody running Flash Player is targeted. The attacks may come in the guise of a fake invoice or other email attachment. Or, they may be inside a JavaScript redirect hidden in a poisoned advertisement that is displayed on an innocent web page you happen to be viewing. Some exploits are placed as links on websites, often using terms like "OMG" to trick people into clicking on an image or fake movie link that is worded to peak your curiosity.

So, if you know you have Flash Player installed in your computers, check the Adobe About Flash Player page often for updates. It will read your installed version of Flash and list the current versions for various browsers and operating systems. If your version is out of date, go to the Flash Player Download Center. While Firefox still uses a Flash plug-in and Internet Explorer an ActiveX extension version, Microsoft Edge and Google Chrome use built-in Flash Player that is updated with a full browser version update. So, check your browser for updates (using Help > About...).

To reiterate, the new current patched version of Adobe Flash is 22.0.0.192.

Note, that Adobe Air uses Flash components and is often updated following Flash updates. A new patched version of Air, 22.0.0.153, is available on the Adobe Air web page. If you have Air installed, keep it updated to avoid having exploitable software on your computer.

Finally, try living without Flash. I started by making it only play on demand when I right click on a Flash placeholder. All browsers, except the out-dated Internet Explorer, are moving away from Flash, making it click to play by default. Soon, they will be dropping all support for running Flash in the browser. Most video websites have already switched or converted their videos into the new and safe HTML 5 Video format, which all modern browsers understand and play without any user input needed. However, versions of Internet Explorer 9 has only partial recognition of HTML 5. If you are running on Windows XP (you shouldn't be doing that any more!), you may be using IE 6, 7, 8, none of which understand HTML 5 and all of which are exploitable and unsupported by Microsoft.

Having gone mostly without Flash Player for a few months, I recommend that you uninstall Flash, or just disable it in your daily use browser, via the browser settings.. .

Posted by Wiz at 1:05 AM |

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

Blog Links

Sponsored Message

I recommend Malwarebytes to protect your computers and Android devices from malicious code attacks. Malwarebytes detects and blocks spyware, viruses and ransomware, as well as rootkits. It removes malware from an already infected device. Get an 18 month subscription to Malwarebytes here.

If you're a fan of Robert Jordan's novels, you can buy boxed sets of The Wheel Of Time, here.

As an Amazon and Google Associate, I earn commissions from qualifying purchases.

CIDR to IPv4 Address Range Utility Tool | IPAddressGuide
CIDR to IPv4 Conversion



Search


About the author
Wiz FeinbergWiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security. Wizcrafts Computer Services was established in 1996.

I produce this blog and website at my own expense. If you find this information valuable please consider making a donation via PayPal.

Follow @Wizcrafts on Twitter, where I post short updates on security issues, spam trends and things that just eat at my craw.

Follow Wizcrafts on Twitter

Malwarebytes' Anti-Malware is the most frequently recommended malware removal tool in malware removal forums, like Bleeping Computers. It is extremely effective for removing fake/rogue security alerts, Bots, Spyware and the most prevalent and current malware threats in the wild. Learn about Malwarebytes Anti-Malware.

MailWasher Pro is an effective spam filter that protects your desktop email client. Using a combination of blacklists and built-in and user configurable filters, MailWasher Pro recognizes and deletes spam before you download it. MailWasher Pro reveals the actual URL of any links in a message, which protects you from most Phishing scams. Try it free for 30 days.

Categories

Tag Cloud

Recent Posts

Popular Posts

Archives

Subscribe to this blog's feed
Creative Commons License This weblog is licensed under a Creative Commons License.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Powered by Movable Type

back to top ^