Emergency Flash Patch Now Available - Update Immediately
Update Adobe Flash to v184.108.40.206 or v220.127.116.116 for Linux.
Yesterday, we alerted readers to an emergency out-of-cycle patch from Adobe to address an actively-exploited vulnerability in Flash - that update was released late last night. On April 7th, 2016, Adobe patched over 20 total Flash Player vulnerabilities, including a critical vulnerability that could lead to remote code execution on a target computer.
The disclosed vulnerabilities would allow an attacker to remotely crash the targeted computer or potentially execute arbitrary code on that device.
This vulnerability impacts versions of Adobe Flash Player prior to the newly-released v18.104.22.168 on Windows, Mac OS X, Chrome OS, and v22.214.171.1246 on Linux operating systems.
Adobe is only aware of active attacks on vulnerable versions of Flash Player running on Windows 10 and earlier operating systems.
Due to the emerging risks outlined above, we strongly recommend that affected customers apply the available update to affected systems that have Flash installed. We also recommend uninstalling Flash from computers where possible, and at a minimum, keeping all installed plugins current with security patches.
The new version of Flash Player on most platforms is v126.96.36.199 or v188.8.131.526 on Linux operating systems.
Duo customers on our Duo Access can discover what versions of Flash Player users have via the Admin Panel’s Device Insight feature and use this information to quickly upgrade users to current versions or block access from outdated devices, using our Endpoint Remediation feature.
Below is an example of a User & Device report from Duo’s Admin Panel dashboard that shows you how many devices are running out of date browsers. You can toggle over time to pinpoint exactly when a new version is released, and how that changes the security health of your users’ devices.
Duo Labs is currently monitoring the status of this issue and we will be providing more information as deemed necessary on our blog at duo.com/blog.
We’re also looking to collect feedback for these types of threat notifications. Please provide any feedback to firstname.lastname@example.org.