Kill Flash now. Or patch these 36 vulnerabilities. Your choice
One bug being exploited right now in the wild
Adobe has released an update for Flash that addresses three dozen CVE-listed vulnerabilities.
The update includes a fix for the CVE-2016-4171 remote code execution vulnerability that is right now being exploited in the wild to install malware on victims' computers.
Adobe is recommending that users running Flash for Windows, macOS, Linux, and ChromeOS update the plugin as quickly as possible, giving the update the "Priority 1" ranking, a designation reserved for flaws that are, according to Adobe, "being targeted, or which have a higher risk of being targeted."
Adobe credited security researchers at Cisco Talos, Google Project Zero, FireEye, Microsoft Vulnerability Research, Tencent PC Manager, Kaspersky, Pangu Lab, and Qihoo 360 Codesafe Team with reporting the 36 flaws.
For Windows, macOS and ChromeOS (as well as the Chrome browser), the updated version will be 18.104.22.168. The latest version of Flash Player for Linux is 22.214.171.1246 and Flash Player Extended Support will get version 126.96.36.1990.
The update comes just days after Adobe posted its June security update to address vulnerabilities in Flash as well as Cold Fusion, Creative Cloud, and Brackets.
The release also comes as more software makers are opting to exclude Flash from their browsers. Apple said Safari will be disabling Flash by default, joining the ranks of Google Chrome in opting for HTML5 content rather than Flash code, due to the large volume of security flaws present in the widespread browser plugin.
Both of the Flash-less versions of Chrome and Safari are due to be released under general availability later this year. You should set your browser to run Flash content only when you specifically allow it – so-called click-to-run – to prevent drive-by exploitation of these flaws. ®