Kill Flash Now: 78 bugs patched in latest update
More holes than the British Open!
Adobe has released another update to address dozens of flaws in its Flash Player browser plug-in.
The December update fixes 78 CVE-classified security vulnerabilities in Flash Player for OS X, Windows, Linux, and Android. The patch includes 75 separate vulnerabilities that could be exploited by an attacker to remotely execute code on a vulnerable system.
In addition to the 75 remote code execution flaws, the update addresses three CVE-listed vulnerabilities that could allow for security bypasses. Adobe said it has not yet received any reports of the flaws being targeted in the wild.
Adobe is advising users running OS X and Windows to update their copy of Flash Player to version 20 or later, while Chrome, IE 11, and Microsoft Edge users will receive their updates through the browser. Adobe classifies the fix as a top priority for all Windows, OS X, and Linux browser versions.
Users running Adobe AIR and AIR SDK for Windows, OS X, Android, or iOS are also advised to update their software to address the vulnerabilities.
Many will point to this latest update as yet another reason for developers, users, and site operators to minimize or outright eliminate the use of Flash. With more-secure platforms such as HTML5 gaining adoption, alternatives to the bug-riddled Flash are only growing more attractive.
Researchers have found that even when the browser-facing components of Flash are disabled, code can be injected into other documents that launches and then exploits vulnerabilities, leaving an outright removal the only option.
Even Adobe is nudging customers away from Flash, renaming its most-recent version of Flash Tools "Animator" and encouraging a move over to HTML5. ®