CyberCrimeSecuritySecurity Management

Adobe Rushes Out Emergency Patch For Flash

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

A vulnerability in Flash is being actively exploited, prompting Adobe to issue an emergency patch

Adobe has rushed out an emergency update for Flash that fixes a vulnerability being actively attacked.

The update comes after the company issued emergency updates last month to more than two dozen “critical” security vulnerabilities, most of which could allow an attacker to take over a user’s computer.

Flash Patch

Adobe-Touch-Apps-Family-LogoThe current Flash update (CVE-2016-7855) covers all platforms including Windows, Mac, Linux and Chrome OS. The firm said that the update addresses a critical vulnerability that could potentially allow an attacker to take control of the affected system.

“Adobe is aware of a report that an exploit for CVE-2016-7855 exists in the wild, and is being used in limited, targeted attacks against users running Windows versions 7, 8.1 and 10,” it warned in its advisory.

According to Kaspersky Lab, the CVE-2016-7855 flaw was privately disclosed by Neel Mehta and Billy Leonard of the Google Threat Analysis Group. It noted that Mehta was one of four researchers who was credited with finding and disclosing the Heartbleed vulnerability in 2014.

Heartbleed of course was one of a string of Internet-wide vulnerabilities found in OpenSSL and allowed an attacker to read memory from encrypted sessions.

“Adobe would like to thank Neel Mehta and Billy Leonard from Google’s Threat Analysis Group for reporting CVE-2016-7855 and for working with Adobe to help protect our customers,” said Adobe.

Ongoing Concerns

Adobe has issued a number of emergency patches for Flash this year due to critical vulnerabilities being ‘actively exploited’ in the wild.

Indeed, flaws and vulnerabilities with Flash are a depressingly familiar story to many in the security industry. Last year Mozilla lost patience and blocked Adobe Flash by default following the discovery of yet more zero-day vulnerabilities in the browser plug-in. That block remained in place until Adobe rushed out a patch for the flaw.

And even Adobe itself apparently recognises the days of Flash are numbered. In December, it acknowledged the inevitability of an HTML5 world and said it was now “encouraging” developers and content creators away from Flash, in order to use newer web standards.

But a study published in June found that the transition to HTML5 is unlikely to prevent the types of attacks that currently exploit Flash bugs, since attackers can easily design similar attacks that don’t require Flash.

Adobe’s Flash was also famously hated by the late Steve Jobs, after the former Apple CEO famously called it a doomed technology. Indeed, such was Jobs opposition to Flash that he publicly attacked it in April 2010, which prompted a bitter spat with Adobe’s CEO.

The bad blood between Apple and Adobe continued for some time, not helped by an Adobe ad campaign that blasted Apple for its closed approach regarding developer licensing.

Are you a security pro? Try our quiz!