Share this article on:
A critical Adobe Flash security flaw discovered by Google’s Project Zero and Trend Micro’s Peter Pi, has now been patched by Adobe; days ahead of schedule. The new patch also fixes two other security vulnerabilities discovered in Adobe Flash earlier this month.
The patch was originally scheduled to be released this week; however, Adobe released the emergency patch on Friday last week, just three days after it issued another patch to address 13 other critical security vulnerabilities.
An announcement made by Adobe earlier this week explained the seriousness of the 13 vulnerabilities, indicating “could potentially allow an attacker to take control of the affected system.” The same is true of the latest vulnerability, although in the latest case, it is not a case of “could” but “has already been.”
The exploit has not been reported to have been used to target healthcare providers, but Pawn Storm has used the exploit to target government ministries according to TrendMicro. The hackers devised spear phishing campaigns which directed their targets to web pages that hosted the exploit. The campaign took advantage of recent news events to convince users to click on the links. This is a common technique used by hackers in spear phishing campaigns. Should those links be clicked, the users would be directed to a website hosting the exploit, which would automatically be downloaded to users’ devices.
Any user of Flash who has not set the software to update automatically is advised to download the latest version as soon as possible. Some web browsers have been set to receive the updated patch automatically (Chrome, Microsoft Edge and Internet Explorer 10 and 11). Users of Firefox, Opera and earlier IE versions will need to download the update manually. The latest version numbers, for reference, are 220.127.116.11 for Windows and OS X, and 18.104.22.1685 for Linux.
It is essential that the latest version is installed if users wish to continue using the bug ridden software; however, since new vulnerabilities are being discovered with increasing regularity, the best option, in terms of security, is to disable the software so it does not launch automatically when visiting a website that uses Flash. Even better for security is to uninstall the software entirely.
How to Disable Adobe Flash Player and Prevent it from Automatically Running
If a website is visited which uses Adobe Flash, the user can then decide whether or not to run the software, and will be prompted to do so in their browser. However, many websites will be viewable even if Adobe Flash remains blocked.
To disable Adobe Flash, access “Add-Ons” in your browser settings and change the settings to prevent Flash from running automatically or disable it entirely. To do this, follow the instructions below:
Firefox: Open your menu, click on “Add-Ons”, locate Shockwave Flash, and set it to “ask to activate” if you still want to use Flash on certain websites, or select “never activate” to disable it entirely.
Opera: Access your security settings, select “plug-in settings”, and ensure that Adobe Flash Player is set to “Off”
Chrome: Visit chrome://plugins and make sure that the Adobe Flash Player “Always allowed to Run” box is unchecked, and click on the disable link to deactivate it for all sites.
Internet Explorer: Click on settings, then “manage add-ons”, locate Shockwave Flash Player, and select disable.
Microsoft Edge: Access your browser settings, click on “View advanced settings” under the Advanced settings option, and make sure the “Use Adobe Flash” option is set to off.
If you want to uninstall Adobe Flash completely, you can do so, but you will need to download the uninstaller from the Adobe website.