Zero-day exploit leaves Adobe Flash vulnerable to hackers

Thursday's security update didn't work

January 25, 2015 at 4:03 a.m. | Updated January 25, 2015 at 4:03 a.m.

by Jennifer Abel of ConsumerAffairs

On Thursday, Adobe released a new security update initially intended to patch a zero-day security flaw in Flash - but mere hours after releasing the patch, Adobe admitted that hackers had already figured out how to work around it.

Information as of Friday indicated Adobe is not scheduled to release the newest security update until Monday (Jan. 26) so until then your safest course of action might be to disable Flash altogether.

(News Tribune Editor's Note: Some users have been receiving the newest version already. Judging by our own experience and according to the latest information from Adobe, users "who have enabled auto-update for the Flash Player desktop runtime" started receiving a new patched version on Saturday, but, for other users, it won't be available for manual download from the Adobe website until Monday.)

The zero-day vulnerability was first discovered and reported earlier this week by the security blog Malware Don't Need Coffee. But Adobe also investigated (and eventually confirmed) reports that hackers might already have figured out ways to work around the update, and continue exploiting the vulnerability.

In tech-speak, a "zero-day" threat is one that exploits a previously unknown vulnerability; since nobody (other than bad-guy hackers) knew about the security hole, nobody's had time to patch it, and so zero days pass between the discovery of the vulnerability and the discovery of the attack.

Adobe's Jan. 22 Security Bulletin says that the exploit affects Adobe Flash Player 16.0.0.257 and earlier versions; Adobe Flash Player 13.0.0.260 and earlier 13.x versions; and Adobe Flash Player 11.2.202.429 and earlier versions for Linux. If you don't know which version you have, you can find out by clicking here.

However, rather than worry about which still-vulnerable version of Flash you may have, you might be better off disabling it altogether until at least Monday, when the next patch is released.

For instructions how to disable Flash in Chrome, click here. For Internet Explorer, click here. Chick here for Firefox.

Thus far, the vulnerability doesn't seem to affect Macs, but Mac users might want to disable Flash on Safari just in case.

How they voted

Yes

Yes

Upcoming Events