Kill Flash Now or Patch These 36 New Vulnerabilities

I don’t normally publish posts on individual software updates, but Flash is such a mess and such a security swamp that I feel compelled to do that.  Microsoft’s attempt to copy Flash – Silverlight – is even worse.  It is so bad that Google doesn’t support it inside Chrome.

My recommendation is that you uninstall Flash and Silverlight if you can do that and still operate your business.  Some web sites that businesses use still require Flash so you may need to keep it around.  More and more web developers are moving away from Flash due to the swamp that it is.

OK, so let’s look at this particular patch.

36 separate bugs are patched.  Microsoft releases patches once a month and usually has around 10-15 patches covering 50 software products.  Adobe seems to patch just this one product several times a month – sometimes several times a week – and is still patching 36 bugs in a single patch.   They have been doing this for as long as I can remember.  What does that mean about the security quality of the product?

One of those bugs, named CVE-2016-4171, is being exploited in the wild right now.

Adobe says the bugs were found by Cisco Talos, Google, FireEye, Microsoft, Tencent, Kaspersky, Pangu Lab and Qihoo.  That, of course, does not include every intelligence agency in the world.

To add insult to injury, this patch comes days after Adobe’s regular monthly Flash (and other product) patch release.

Apple has announced that it will be disabling Flash by default in Safari, Joining Google’s Chrome.

I use two browsers.  One browser, the one I use every day, has Flash completely disabled.  The other browser, a kind of ‘break class in case of emergency’, has Flash enabled, but I only use it if my main browser complains.

A lot of malware is delivered silently by Flash based ads that contain malware in the ads.  Major sites like The New York Times, BBC and AOL, among a number of others were hit with malicious ads recently.  The ads delivered ransomware to users who happened to have particular unpatched vulnerabilities and it DID NOT require users to click on anything to become infected.  Disabling Flash protects you against these attacks.

If, after all this, you really do need Flash, then make sure that you install this patch as soon as possible.

Information for this post came from The Register.

by