Skip navigation
industry news

Emergency Flash Patch Now Available - Update Immediately

Update Adobe Flash to v21.0.0.213 or v11.2.202.616 for Linux.

Yesterday, we alerted readers to an emergency out-of-cycle patch from Adobe to address an actively-exploited vulnerability in Flash - that update was released late last night. On April 7th, 2016, Adobe patched over 20 total Flash Player vulnerabilities, including a critical vulnerability that could lead to remote code execution on a target computer.

Analysis

The disclosed vulnerabilities would allow an attacker to remotely crash the targeted computer or potentially execute arbitrary code on that device.

This vulnerability impacts versions of Adobe Flash Player prior to the newly-released v21.0.0.213 on Windows, Mac OS X, Chrome OS, and v11.2.202.616 on Linux operating systems.

Adobe is only aware of active attacks on vulnerable versions of Flash Player running on Windows 10 and earlier operating systems.

Solution

Due to the emerging risks outlined above, we strongly recommend that affected customers apply the available update to affected systems that have Flash installed. We also recommend uninstalling Flash from computers where possible, and at a minimum, keeping all installed plugins current with security patches.

The new version of Flash Player on most platforms is v21.0.0.213 or v11.2.202.616 on Linux operating systems.

Duo customers on our Duo Access can discover what versions of Flash Player users have via the Admin Panel’s Device Insight feature and use this information to quickly upgrade users to current versions or block access from outdated devices, using our Endpoint Remediation feature.

Below is an example of a User & Device report from Duo’s Admin Panel dashboard that shows you how many devices are running out of date browsers. You can toggle over time to pinpoint exactly when a new version is released, and how that changes the security health of your users’ devices.

Outdated Browsers - Duo User & Device Reports

Duo Labs is currently monitoring the status of this issue and we will be providing more information as deemed necessary on our blog at duo.com/blog.

We’re also looking to collect feedback for these types of threat notifications. Please provide any feedback to labs@duosecurity.com.