Adobe on Thursday issued a critical update for its ubiquitous Flash Player software that fixes three dozen security holes in the widely-used browser plugin, including at least one vulnerability that is already being exploited for use in targeted attacks.
The latest update brings Flash to v. 18.104.22.168 for Windows and Mac users alike. If you have Flash installed, you should update, hobble or remove Flash as soon as possible.
The smartest option is probably to ditch the program once and for all and significantly increase the security of your system in the process. I’ve got more on that approach (as well as slightly less radical solutions ) in A Month Without Adobe Flash Player.
If you choose to update, please do it today. The most recent versions of Flash should be available from this Flash distribution page or the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). Chrome and IE should auto-install the latest Flash version on browser restart (I had to manually check for updates in Chrome an restart the browser to get the latest Flash version).
For some reason that probably has nothing to do with security, Adobe has decided to stop distributing direct links to its Flash Player software. According to the company’s Flash distribution page, on June 30, 2016 Adobe will decommission direct links to various Flash Player downloads. This will essentially force Flash users to update the program using its built-in automatic updates feature (which sometimes takes days to notice a new security update is available), or to install the program from the company’s Flash Home page — a download that currently bundles McAfee Security Scan Plus and a product called True Key by Intel Security.
Anything that makes it less likely users will update Flash seems like a bad idea, especially when we’re talking about a program that often needs security fixes more than once a month.