Another day, another zero-day vulnerability discovered in Flash - one that’s actively being exploited in the wild. The company hasn’t yet released a patch but it’s promising to do so this week.
For the third month in a row, a zero-day vulnerability needs to be patched by Adobe’s engineers as they scramble to put out a fix for a bug that cybercriminals are exploiting. According to its own security advisory, the bug affects the latest version of Flash, 220.127.116.11 on all systems including Windows, OS X, Linux and Chrome OS.
The vulnerability can be effectively used to trigger a crash in the Flash plugin and then attackers can get control of the affected system. As explained by the security firm Kaspersky, which discovered it, the zero-day exploit is already being used in the wild by cybercriminals going after enterprise machines. According to a different report, those running EMET, Microsoft’s Enhanced Mitigation Experience Toolkit, are secure for now.
Adobe is promising to put out a patch this week, maybe even as soon as tomorrow. However, Flash’s security vulnerabilities seem to never end, so customers might simply be better off disabling Flash altogether.
In fact, Apple, Google and Firefox all appear to agree with that assessment, and the companies have taken steps to have Flash disabled by default in their browsers. The latest to jump on this bandwagon was Apple, which is disabling Flash by default in Safari 10, as we reported earlier.
With so many security risks, and companies moving away from the plugin, it’s clear that Flash’s days are numbered.