Adobe issues a patch for a zero-day exploit in Flash 21.0.0.242
June 16, 2016
Updated with new version numbers
Adobe has released a patch for a zero day exploit targeting Flash Player versions 21.0.0.242 and under. The patched version, 22.0.0.192, first announced on June 14, was released on June 16, 2016. The Adobe security advisory, rated critical, is here. This version patches a total of 36 new vulnerabilities, as listed in this security bulletin.
The active zero-day exploit affects Flash versions 21.0.0.242 and earlier. It was detected in the wild in targeted attacks by Kaspersky Labs. The technical details are in this blog post.
Many zero day exploits in Flash Player start life in very targeted attacks aimed at high value targets. After word gets out, these attacks are included in general purpose exploit kits, where everybody running Flash Player is targeted. The attacks may come in the guise of a fake invoice or other email attachment. Or, they may be inside a JavaScript redirect hidden in a poisoned advertisement that is displayed on an innocent web page you happen to be viewing. Some exploits are placed as links on websites, often using terms like "OMG" to trick people into clicking on an image or fake movie link that is worded to peak your curiosity.
So, if you know you have Flash Player installed in your computers, check the Adobe About Flash Player page often for updates. It will read your installed version of Flash and list the current versions for various browsers and operating systems. If your version is out of date, go to the Flash Player Download Center. While Firefox still uses a Flash plug-in and Internet Explorer an ActiveX extension version, Microsoft Edge and Google Chrome use built-in Flash Player that is updated with a full browser version update. So, check your browser for updates (using Help > About...).
To reiterate, the new current patched version of Adobe Flash is 22.0.0.192.
Note, that Adobe Air uses Flash components and is often updated following Flash updates. A new patched version of Air, 22.0.0.153, is available on the Adobe Air web page. If you have Air installed, keep it updated to avoid having exploitable software on your computer.
Finally, try living without Flash. I started by making it only play on demand when I right click on a Flash placeholder. All browsers, except the out-dated Internet Explorer, are moving away from Flash, making it click to play by default. Soon, they will be dropping all support for running Flash in the browser. Most video websites have already switched or converted their videos into the new and safe HTML 5 Video format, which all modern browsers understand and play without any user input needed. However, versions of Internet Explorer 9 has only partial recognition of HTML 5. If you are running on Windows XP (you shouldn't be doing that any more!), you may be using IE 6, 7, 8, none of which understand HTML 5 and all of which are exploitable and unsupported by Microsoft.
Having gone mostly without Flash Player for a few months, I recommend that you uninstall Flash, or just disable it in your daily use browser, via the browser settings.. .
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.