Dear Windows, OS X folks: Update Flash now. Or kill it. Killing it works
Adobe plugs latest hole in hacker punch bag
Adobe has published new versions of Flash to patch a vulnerability being exploited right now by hackers to hijack PCs and Macs.
The APSB16-10 update addresses a total of 24 CVE-listed flaws, including one (CVE-2016-1019) that's been exploited in the wild to inject malware into Microsoft Windows and Apple OS X systems.
Users running the Flash Player versions 18.104.22.168 and prior for Windows, OS X, Linux and ChromeOS are advised to update the plugin to address the vulnerabilities. For Flash Player Extended Support, the vulnerable software is version 22.214.171.1243 and earlier and Flash Player for Linux version 126.96.36.1997.
Among the vulnerabilities patched in the update is CVE-2016-1019, a remote code execution vulnerability that is currently being exploited in the wild by the Magnitude Exploit Kit. According to researchers with Trend Micro, the flaw is being targeted in both Windows and OS X systems to perform automated malware installs.
Simply browsing a webpage booby-trapped with a malicious Flash file is enough to trigger execution of evil code, allowing miscreants to potentially snoop on victims' passwords and other sensitive information on their computers.
Adobe is recommending that users update Flash as soon as possible to patch the flaws. Users running Chrome, Internet Explorer and Edge will automatically get the update when updating their browser.
Researchers warned earlier this week that the CVE-2016-1019 zero-day was being targeted in the wild and that an out-of-band security patch to address the vulnerability was in the works.
The patch is the latest fix for a Flash plugin that has become a favorite target for exploits and drive-by malware attacks. Researchers have suggested that users and administrators disable Flash Player in order to prevent attacks.
One company doing just that is Microsoft, who announced earlier today that upcoming versions of the Edge browser would be disabling "non-central" Flash content in webpages by default (users can change the setting). Microsoft is also recommending that site owners consider moving their pages to newer, safer formats such as HTML5. ®