Adobe has again had to update it’s Flash software for OS X, Windows, and Linux in light of a critical security flaw that allowed remote attackers to take over and control un-updated Macs or PCs, just 10 days after the previous critical fix was issued. The software is now updated to version 16.0.0.305, up from version 16.0.0.297. The update fixes CVE-2015-0313, a zero-day flaw that can be triggered simply by visiting infected websites with Flash turned on.
The company has received numerous reports of the flaw being actively exploited on systems running Internet Explorer of Firefox, particularly those running Windows 8.1 or earlier. The flaw affects all previous versions of Flash, but version 16 updates are aimed only at fairly recent machines running OS X 10.6 or later, or Windows computers running 8.1. The exploit works by redirecting visitors from an infected page to an attacker-controlled site, where the exploit kit would use Flash’s elevated rights to install itself through the zero-day exploit.
Systems that cannot update to OS versions that support Flash 16.x (or version 11.2.x for Linux users) are advised to completely disable Flash completely as soon as possible. The ongoing issues of critical flaws in Flash — which has persisted for several years — have lead many users (and some major websites, including YouTube) to disable it or block automatic usage of Flash.
Apple co-founder and former CEO Steve Jobs identified the security flaws in Flash as the major cause of crashes in OS X back in 2010 and wrote an essay on the topic when users complained about Apple’s decision not to allow Flash to be used on its iOS products. Adobe eventually gave up on Flash for mobile devices itself, after conceding Jobs’ point about its performance and battery life issues.
OS X disables Flash and Java automatically if they have not been used in at least 30 days, but using a blocker that allows Flash or Java use on a case-by-case basis, or disabling the two flaw-prone technologies completely if feasible, is the best course of action. Apple is likely to opt to silently disable all older versions of Flash on Safari browsers, essentially forcing an update for those users.
The update will be installed automatically on Mac and Windows systems that have a recent version and have opted to allow automatic updates. Otherwise, the latest version can be installed by visiting Adobe’s Flash website and manually downloading the install package. The company says it is “working with our distribution partners” to update the built-in Flash included in Google’s Chrome browser, and for Microsoft’s Internet Explorer 10 and 11.
Users can determine what version they are currently running by visiting Adobe’s Flash installer page, where they can also install the latest version. Chrome users should disable Flash until Chrome is updated to address the issue.