Adobe has again had to issue an update to the browser plug-in version of Flash due a critical flaw in the program that allows remote attackers to take over un-updated Macs or PCs, the latter running either Windows or Linux. The company urges users to update to the latest version, first issued on Friday, that patches the problem — however, all previous versions should be considered at risk, and there are not yet any Chrome browser or standalone updaters available.
On a Mac, users can simply visit the Flash system preference panel and easily update to the latest version, now at v16.0.0.297. The process can even be automatic if users prefer, though all web browsers must be quit before the patch can be installed. Adobe is said to be working on a standalone version of the patch for multiple operating systems and system versions, and is working with Chrome to update the built-in version of Flash found in its Chrome browser for multiple platforms. Apple is likely to opt to silently disable all older versions of Flash on Safari browsers, essentially forcing an update for those users.
The Flash browser plug-in has had to be updated innumerable times for security and program fixes large and small, but not all versions of Windows or OS X are still supported. Those machines that cannot be updated to the most recent version of Flash either due to the machine’s OS X version limitations or by user choice are advised to disable the Flash plug-in entirely and live without Flash support on websites, as the flaw — CVE 2015-0311 — is “being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below,” said the company.
While only Windows attacks have been seen in the wild at present, Macs running 16.0.0.287 or lower are also vulnerable, as are Linux users running 11.2.202.438 or lower. Adobe has not yet revealed the exact nature of the flaw, but due to the elevated privileges Flash requires in order to work, the bug can allow attackers to obtain control over a remote computer without the user being aware or actively downloading anything, often referred to in the Windows world as a “drive-by download.”
Users can determine what version they are currently running by visiting Adobe’s Flash installer page, where they can also install the latest version. Chrome users should disable Flash until Chrome is updated to address the issue.
