Written by Graham Cluley, ESET We Live Security
One of the favourite pieces of software for malicious hackers to target on users’ computers is Adobe Flash Player.
Why? Well, there are a few reasons.
Firstly, Adobe Flash Player is on an awful lot of computers. Many users may have it installed it long ago in order to access Flash-based media content online, such as videos. Malicious hackers can rely upon a large number of people having Flash installed, making it a target for attack.
Secondly, the version of Adobe Flash Player installed on your computer may be out-of-date. Users may have failed to configure updates properly, or chosen to ignore reminders to update the software promptly when a new security update is released. There’s only one thing more attractive to a malicious hacker than widely-used ubiquitous software, and that’s widely-used ubiquitous software that hasn’t been kept updated with the latest patches.
It doesn’t matter if a hacker doesn’t have zero-day exploit to throw at your Adobe Flash Player if you haven’t been bothering to keep it protected against known vulnerabilities.
Thirdly, there has been a long history of malicious hackers finding critical security holes in Adobe Flash Player, and building their attacks into exploit kits for anyone to deploy. Flash is closed, proprietary software controlled by Adobe and it has been plagued with software vulnerabilities and serious flaws over many years. Quite why Flash has been targeted so often is open to some debate, but the mere fact that it has suggests that it will continue to be for some time to come.
The upshot of this is that when Adobe releases new security patches for Adobe Flash Player, it would be very sensible indeed for its users to sit up and take notice.
Earlier today Adobe issued a security advisory detailing updates it has released for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS.
The updates are said to address critical vulnerabilities that could potentially allow an attacker to take control of a vulnerable system, allowing a remote attacker to execute code on a victim’s computer and take control over their device.
Adobe recommends that users of the Adobe Flash Player Desktop Runtime for Windows, Macintosh and Linux update to Adobe Flash Player version 18.104.22.168 as soon as possible. You can do this either by visiting the official Adobe Flash Player download page, or ensuring that Flash’s global settings are set to “install updates automatically when available”.
Even with that option enabled you may be disappointed to find that security updates are not immediately available to you, and – rather than wait – prefer to manually force an update instead.
Things are a little simpler for those who rely upon the Adobe Flash Player code integrated with the Google Chrome and Microsoft Edge browsers, as they should be automatically updated to the latest version as the browser itself updates.
The best approach of all, of course, if you want to permanently secure your computers and devices against Flash flaws is the nuclear option: uninstall Flash from your computer. Or – if you just need Adobe Flash for very specific websites or bespoke applications – have Flash installed on an alternative browser rather than the one you regularly use to surf the web.
If you’re not quite ready to take the step of entirely uninstalling Flash, then you should at the very least consider enabling “Click to Play”, which stops Flash elements from being rendered in your browser unless you give specific permission.