The A List Apart Blog Presents:

The Latest Flash 0-day is no Joke

Article Continues Below

I’m guessing there’s a better than decent chance that you’ve already heard about this, but this is such a bad one I thought I would just make sure: The appropriately-named Hacking Team was hacked earlier this week, and in the 400 gigs of data stolen from them was a previously unknown 0-day Flash exploit. The exploit allows web sites to execute arbitrary code on vulnerable machines.

The Hacking Team makes a living selling tools that allow their clients, mainly governments and law enforcement, to surveil internet users and snoop on encrypted internet traffic. An important part of their service is collecting unknown exploits and keeping them a secret so they don’t get patched, and can continue to be exploited.

Flash gets updated a lot, often for security purposes. What usually happens is a security firm, or a hacker looking for a bounty, or Adobe itself will find a vulnerability, and the Flash team will quietly patch their software before the exploit becomes widely known. This time, the exploit is already out there, and is quickly making its way into malware tools.

So, I assume you’re already multi-tasking and disabling Flash in your browsers. (Here’s how to disable Flash in Chrome. And Safari. And Firefox. And IE.)

And now you should go patch Flash.

7 Reader Comments

  1. Agreed. We need to stop talking about “patching Flash” and start talking about “uninstalling Flash.”

    Even Adobe doesn’t have any skin in the game anymore.

  2. fwiw, Adobe Connect requires Flash … we use it quite often for remote training and webinars. Adobe uses it too of course for their own public and NDA online webinars.

  3. Your post is already out of date, this issue has already been fixed and automatically updated on everyone’s machines. nice try though.

  4. @pete shand — Notifications are automatically sent, but on some platforms they still require user intervention to actually install. (On OS X, in particular, it’s not a quick process.) Flash sends so many updates, many many people ignore the notifications not knowing they are often ignoring critical security updates.

Got something to say?

We have turned off comments, but you can see what folks had to say before we did so.

More from ALA

Designing for the Unexpected

As devices continue to diversify in dizzying ways, how can we make sure our work on the web stays as relevant as ever for the long haul? Cathy Dutton shares how practitioners must perfect designs both for the paradigms of the present and the twists of the future, come what may.
Design

Asynchronous Design Critique: Getting Feedback

Receiving feedback can be a stressful experience: will an open-ended question attract helpful guidance or harsh criticism? Erin “Folletto“ Casali coaches us through a process to ensure that feedback always lands gracefully.
Design

Asynchronous Design Critique: Giving Feedback

You’ve heard the term “constructive criticism” countless times but do you know how to deliver it? Part one of this series from Erin ‘Folletto’ Casali gives you a framework for it! Flex your feedback muscles and practice these skills to empower and inspire others without deflating or confusing them.
Design

That’s Not My Burnout

If, like many folks during the pandemic, you’ve begun confusing burnout for achievement, Donna Bungard will show you how to recognize that you’re low on fuel and give you a map of rest stops where you can refill your tank.
Career