April 8, 2016

Adobe Systems this week rushed out an emergency patch to plug a security hole in its widely-installed Flash Player software, warning that the vulnerability is already being exploited in active attacks.

brokenflash-aAdobe said a “critical” bug exists in all versions of Flash including Flash versions 21.0.0.197 and lower (older) across a broad range of systems, including Windows, Mac, Linux and Chrome OS. Find out if you have Flash and if so what version by visiting this link.

In a security advisory, the software maker said it is aware of reports that the vulnerability is being actively exploited on systems running Windows 7 and Windows XP with Flash Player version 20.0.0.306 and earlier. 

Adobe said additional security protections built into all versions of Flash including 21.0.0.182 and newer should block this flaw from being exploited. But even if you’re running one of the newer versions of Flash with the additional protections, you should update, hobble or remove Flash as soon as possible.

The smartest option is probably to ditch the program once and for all and significantly increase the security of your system in the process. I’ve got more on that approach (as well as slightly less radical solutions ) in A Month Without Adobe Flash Player.

If you choose to update, please do it today. The most recent versions of Flash should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). Chrome and IE should auto-install the latest Flash version on browser restart (I had to manually restart Chrome to get the latest Flash version).

By the way, I’m not the only one trying to make it easier for people to put a lasso on Flash: In a blog post today, Microsoft said Microsoft Edge users on Windows 10 will auto-pause Flash content that is not central to the Web page. The new feature will be available in Windows 10 build 14316.

“Peripheral content like animations or advertisements built with Flash will be displayed in a paused state unless the user explicitly clicks to play that content,” wrote the Microsoft Edge team. “This significantly reduces power consumption and improves performance while preserving the full fidelity of the page. Flash content that is central to the page, like video and games, will not be paused. We are planning for and look forward to a future where Flash is no longer necessary as a default experience in Microsoft Edge.”

Additional reading on this vulnerability:

Kafeine‘s Malware Don’t Need Coffee Blog on active exploitation of the bug.

Trend Micro’s take on evidence that thieves have been using this flaw in automated attacks since at least March 31, 2016.


36 thoughts on “Adobe Patches Flash Player Zero-Day Threat

  1. Robert.Walter

    But if Edge loads and then pauses Flash, isn’t the malware already on board? (Unless MS is downloading to a server and then pushing out a snapshot of the content.)

    1. Eaglewerks

      Edge will only run on Windows 10, and to some accounts appears to run is what is often referred to as “a sandbox”. Though with Windows 10 and Edge that may not be a salient term as other factors and security coding are involved.

  2. Den

    I ditched Flash a while back and I rarely miss it.

    I disabled it in my main browser (Chrome) and allowed it in IE, which I rarely use. If there’s some old web page (usually with a player to play some online video that I want to watch) I copy the URL to IE and play it there. Then when it’s done playing I close IE and go back to Chrome. This happens maybe once or twice a month.

    So yes, good riddance Flash! Such a resource hog too!

  3. ratbuddy

    The Notice on Adobe’s site has been updated – it’s being actively exploited on all versions of Windows from 10 and down, not just 7 and XP.

  4. Z

    Can we ditch adobe products yet? Are they writing flash or are they writing viruses? Yeesh.

    1. jdmurray

      The remaining Adobe product I have installed is Reader–only because I occasionally need to view Adobe DRM-encoded PDF files, otherwise it would be gone too.

    2. A

      no, but when you learn how to play on the interwebs with adobe products installed on your computer and not get stung, you can stay. until then, you have to go.

  5. Mahhn

    Test if you need flash in IE by making it click to play:

    Click on Gear/Manage Add-ons/Toolbars and Extensions/Shockwave Flash Object/More information/Remove all sites/Close

    1. coakl

      That works. You can add another layer of defense. You can make all ActiveX “click to play”, including Flash, by turning on Active X Filtering in Internet Explorer.

      Go to the Gears icon, Safety, click on ActiveX Filtering to activate. When you see a blue circle with a blue slash through it, that means ActiveX of some kind was blocked on that site. Click the blue circle and you will get a button allows you to turn off filtering on that site.

  6. Eaglewerks

    I am not sure why this is such a big deal. Perhaps because of too many lazy people? All users of a Mac or Windows OS should have already up-dated any Flash software they ran to Flash Player 21.0.0.182 some time ago, which contained a ‘mitigation feature’ which essentially blocked the problem. The current up-date changes the effected underlying code, essentially stopping the problem, rather than using a ‘mitigation feature.’

    I applaud Microsoft’s efforts to encourage websites to move on to HTML5js more secure open code. I find , however, that far too many of the websites I visit use flash for a good portion of their content. I suspect many such small businesses and sites have very limited resources and simply cannot afford to hire employees or perhaps an outside company to make the changes to the newer HTML5js.

    1. Winston

      “I find, however, that far too many of the websites I visit use flash for a good portion of their content.”

      Same experience here. I have Chrome configured to ask before loading any plug-in and there are so many sites that still use Flash that it is actually very annoying to have to approve the plug-in in every case.

    2. ljlkj

      I work at a large international law firm that uses external websites that emergency versions of Flash (and Java) have broken, so we apparently have to stay on the ‘extended release’ version of Flash and use an older, insecure version of the JRE. And no, i don’t think there are options for moving to other apps/websites. I can’t even imagine what it’s like in a massive corporation that dwarfs us in terms of apps/websites it requires.

      So it’s not always a simple matter to update. Instead we rely on things like OpenDNS to not return command-and-control IPs, Cisco’s SourceFire, and other security measures. I actually run my own non-domain joined system so I can keep Flash and Java updated.

    3. jbmartin6

      I had Flash set to ‘prompt’ for a while and was surprised at how many sites generated a prompt even with static content. I assume they were using it for tracking, or ad providers were.

  7. Stratocaster

    21.0.0.197 has not been out very long itself. I did not see an advisory about that version on this site, but I got a (surprise!) auto-notification about it from Adobe on 03/31.

  8. Debbie Kearns

    Brian, you claimed that Internet Explorer “should auto-install the latest Flash version on browser restart” in Windows 8.1 and 10, but I’m getting no updates on Internet Explorer Flash Player in Windows Update, and some Adobe guy said that the newest release “is not available for ActiveX Flash Player on Windows 8.1 and Windows 10,” as seen in this link. I’m getting confused. https://forums.adobe.com/thread/2135197

    1. Eaglewerks

      You should be using 21.0.0.182! Remember: Internet Explorer (embedded – Windows 8.1) – ActiveX and Edge (embedded – Windows 10) – ActiveX currently use: 21.0.0.182 Flash Player 21.0.0.182 contained a ‘mitigation feature’ which essentially blocked the problem.

      1. Eaglewerks

        Correction: The link Debbie posted above, DOES have a link further down the page for up-dating Windows 10 Edge. It may not have been there earlier.

        1. twinmustangranchdressing

          That link just goes to http://get.adobe.com/flashplayer though. I don’t have Windows 10 so I can’t see what happens when someone who does goes to that page. But when I click on the link to get the download for a different computer, then select Windows 10/Windows 8 in Step 1, Explorer and Edge are NOT among the browsers that can be chosen in Step 2.

  9. rei

    24 hours later, Win8.1 + Win10’s Edge/IE still contain outdated versions of Flash (v21.0.182) and no ability to get v21.0.213.

    1. twinmustangranchdressing

      Adobe says the Flash Player plugin will update automatically for those OS + browser combinations. Maybe Microsoft is supposed to release the updated plugin for those, like Google does for Chrome.

  10. Mike

    The problem is Flash. It does not matter what OS your using. You can update all you want and still never fix the problem because the only way to fix the problem is to get rid of flash. It’s the same thing with Java and a bunch of other stuff.

    The only way to win is not to play.

  11. twinmustangranchdressing

    Something new: The PPAPI plugin for Chrome 49.0.2623.112 on my MacBook with OS X 10.6.8 was updated from 21.0.0.213 to .216.

    1. twinmustangranchdressing

      My Windows XP SP3 netbook now has this version of the PPAPI plugin, too.

  12. Cory William Dennington

    Hi Mr. Krebs,

    I emailed you earlier this week about the FBI most wanted hackers. I have a few questions about some stuff. I am just curious about some of the people that are on that list. Yes, there should be ALOT more people on the list, no disagreement there. Please get back to me if you can, maybe you can help clarify something for me.

    Sincerely,
    Cory W. Dennington

  13. Andy

    I’ve had an interesting time in the 24 hours since I came across this Flash article. I decided that an old but useful XP box (with much renewed usefulness since changing its browser from IE to Chrome) should get its Flash upgrade right away, which it did, only to lead to frequent Flash crashes, hangs or non-response complaints from Chrome.

    This was a clear step backwards in performance, with frequently-used (and mainstream) web sites suddenly staggering or hanging due to Flash issues, so out of sheer exasperation, I disabled Flash in Chrome.

    The results at that point were dramatic, but entirely positive: Chrome’s entire performance on the old XP machine is now faster and more responsive than ever, and (this is the puzzling part) I can’t see anything different or non-functioning to suggest that Flash was ever there. Even stupid, unwanted advertising animations and videos on commercial websites are running fast and flawlessly.

    I’m not a heavy user of social media, nor do I go exploring strange areas of the Internet, so I don’t exactly push the limits here, but I am stumped as to what Flash was ever doing for me.

  14. Bryan

    The link in the article takes me to Adobe Player 21, but I already have 21 installed (ActiveX and NPAPI) so I guess this means I don’t have to do anything on my Windows 7.

  15. Uninstall Flash?

    What I’ve done is I have multiple web browsers installed. The one I normally use doesn’t have flash enabled at all. If I come across something that I really want to view, and it requires flash, then I consider the source carefully and consider using the other browser to look at that one site only. This way I’m safer most of the time from the normal riff raff web sites.

    1. Miro

      The problem of Adobe Flash is not with readers of this blog (following this blog proves they probably know what they are doing on the net) but milions of others (who have no idea at all about net dangers) and most importantly all the web sites still using the Flash !

  16. Dick

    Is the fundamental problem the player or the content? If it’s the player why hasn’t anyone come up with a safe alternative?

  17. User

    I have Windows 10 and use Firefox and this latest patch from Adobe will not install. I cannot get the download to complete successfully and when it did (once) it won’t install successfully. SOOOO frustrating…wish i could banish flash forever but i need it for certain sites.

  18. Matt

    Has anyone been able to get this installed/updated for Windows 10? I don’t have flash manually installed but since Microsoft is now including it for IE/Edge, they control it. Going to the Adobe page just redirects to hxxps://helpx.adobe.com/flash-player/kb/flash-player-issues-windows-10-ie.html

    I only use IE for specific business applications that don’t function well in Chrome but still want this patched. Windows/Microsoft update is still not showing any updates for this.

  19. Reddy

    I have a small query ..

    Adobe said a “critical” bug exists in all versions of Flash including versions “21.0.0.197 and lower (older)” , right.

    but how Abobe released pathch on “21.0.0.182 and newer” .

    In 0.0.197 version found bug but patch released in 0.0.182 version..
    How it is possible.

    1. reddy

      Here My question is How a lower version 20.0.0.182 is patch for vulnerable version 20.0.197 ..?

      any one plese explain me..

  20. CJ

    Recently, I needed to take a half-hour online security training class. In order to complete the training I needed to run both Flash and Java. I am simultaneously amused and appalled.

Comments are closed.