Security

Still using Adobe Flash? Oh well, get updating: 15 hijack flaws patched

At least one is already being exploited – and more will targeted

People still using Adobe Flash should update the plugin after the Photoshop giant patched 15 remote-code execution holes in its screen-door software.

If hackers aren't already exploiting all these holes in the wild, they soon will be. The remote-code exec bugs allow miscreants to hijack vulnerable Windows, OS X and Linux computers, simply by luring victims to websites booby-trapped with malicious Flash files.

Adobe said the February 5 patch batch addresses 18 CVE-listed vulnerabilities in its sadly ubiquitous plugin.

There are four use-after-free() bugs, six memory corruption vulnerabilities, two type confusion flaws, two heap buffer overflow bugs, and one buffer overflow hole – all of which allow remote-code execution. There are three null pointer dereference blunders, which could be exploited to crash the plugin (which is no bad thing.)

Most of the security glitches were discovered and reported by researchers working for Google, Microsoft, Trend Micro, and Venustech ADLAB, plus others via HP's Zero Day Initiative and the Chromium Vulnerability Rewards Program.

People should upgrade their copies of the software as soon as possible. Adobe noted that at least one of the flaws (CVE 2015-0313) is already being exploited by attackers to take over PCs from afar. Once inside a computer, crooks can swipe passwords, spy on victims and more.

The digital art supplies biz notes:

  • Users of Adobe Flash Player for Windows and OS X should update to Adobe Flash Player 16.0.0.305.
  • Users of Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.269.
  • Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.442.
  • The Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to version 16.0.0.305.

Usually, Adobe tries to release its security updates on the second Tuesday of every month, alongside Microsoft's Patch Tuesday cycle, but had to act this week because, as mentioned above, hackers are all over at least one of the programming cockups.

Security isn't Adobe's strongest suit. Websites, such as YouTube, have dumped Flash in favor of HTML5 and other video-streaming formats.

El Reg has made its stance clear: uninstall Flash. ®

Sponsored: 2016 Cyberthreat defense report