Flash, I love you, but we only have fourteen hours to save everyone’s computers. Adobe has urged users to patch their Windows, OS X and Linux editions of Flash Player to address 23 security vulnerabilities, including one that is actively being targeted in the wild.
The March update includes a number of fixes for vulnerabilities that could, if exploited, allow an attacker to remotely execute code on a targeted system simply by loading a malformed Flash file. In other words, visiting a booby-trapped webpage, or viewing a Flash ad, could inject malware into your computer.
One of those flaws, CVE-2016-1010, is being used for what Adobe calls “limited, targeted attacks.”
Users running Flash Player 22.214.171.1246 and earlier for Windows, OS X and Linux should look to update the software.
Flash Player for Linux 126.96.36.1999 and earlier and Adobe AIR Desktop Runtime and AIR SDK 188.8.131.520 as well as AIR for Android 184.108.40.206 and earlier should also be updated if possible. You can check your installed version here.
Users who have activated the “Allow Adobe to install updates” option on Flash Player for Windows and OS X should receive the update automatically. Google’s Chrome browser installs Flash updates automatically, too.
According to Adobe, the patched flaws, all of which could allow remote code execution, include three integer overflow vulnerabilities (one of those is CVE-2016-1010). Eleven of the flaws are use-after-free errors, and one is a heap overflow bug. The remaining eight exploitable programming blunders are memory corruption vulnerabilities.
Adobe has posted a full list of the CVE numbers as well as discovery credits for each of the vulnerabilities on its help site.
Adobe gave word of the Flash Player update earlier this week when it posted a scheduled security update for Adobe Acrobat and Reader to address a total of four vulnerabilities. That same day, Microsoft posted its monthly patch load for Windows, Office, Internet Explorer and Edge.
As always, going into you browser’s settings and enabling click-to-play for Flash is recommended as it will stop malicious Flash files from automatically firing up as soon as you load a page.