Windows 10 users at risk as Adobe readies patch for ‘critical vulnerability’ that is being ‘actively exploited’
Users of the Windows 10 operating system are being warned about a critical vulnerability with Adobe Flash.
The warning came from Adobe itself when it announced it would be issuing a security update this week in order to plug the flaw.
“A critical vulnerability (CVE-2016-1019) exists in Adobe Flash Player 220.127.116.11 and earlier versions for Windows, Macintosh, Linux, and Chrome OS,” said Adobe in the security advisory. “Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.”
Adobe urged Flash users to update immediately to the latest Flash Player (18.104.22.168) version to prevent the flaw being exploited – something which is already happening in the wild.
“Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 10 and earlier with Flash Player version 22.214.171.1246 and earlier,” the company added. “A mitigation introduced in Flash Player 126.96.36.199 currently prevents exploitation of this vulnerability, protecting users running Flash Player 188.8.131.52 and later.
“Adobe is planning to provide a security update to address this vulnerability as early as April 7.”
Adobe used its security advisory to thank Kafeine (EmergingThreats/Proofpoint) and Genwei Jiang (FireEye), as well as Clement Lecigne (Google) for reporting the flaw and working with it to patch the vulnerability.
Flaws and vulnerabilities with Adobe Flash are a depressingly familiar story to many in the security industry. Last year Mozilla lost patience and blocked Adobe Flash by default following the discovery of yet more zero-day vulnerabilities in the browser plug-in. That block remained in place until Adobe rushed out a patch for the flaw.
And even Adobe recognises the days of Flash are numbered.
In December, it acknowledged the inevitability of an HTML5 world and said it was now “encouraging” developers and content creators away from Flash, in order to use newer web standards.
Adobe’s Flash was also famously hated by the late Steve Jobs as well, after the former Apple CEO famously called it a doomed technology. Indeed, such was Jobs opposition to Flash that he publicly attacked it in April 2010, which prompted a bitter spat with Adobe’s CEO.
The bad blood between Apple and Adobe continued for some time, not helped by an Adobe ad campaign that blasted Apple for its closed approach regarding developer licensing.
Are you a security pro? Try our quiz!