Adobe whacks Flash users with 23 security patches

Patchtastic Tuesday in store for Adobe Flash and Shockwave users

Adobe has released a batch of 23 patches intended to fix a slew of critical flaws in both Flash and Shockwave players - if anyone out there is still using Shockwave.

Eighteen of the 23 flaws, grouped under the APSB15-23 vulnerability identifier, can potentially be exploited by hackers to execute malware, although Adobe claims not to be aware of any exploits circulating in the wild taking advantage of the flaws (yet).

Other flaws could "lead to information disclosure", bypass security mechanisms in browsers and cause memory leaks. Adobe has also released updates for the AIR desktop runtime, which is used by the BBC iPlayer app, among others.

Security specialists have increasingly recommended, if not completely removing Adobe Flash, then making it "click to play" in web browsers in order to reduce the security risks associated with the bug-blighted software.

Adobe Shockwave, meanwhile, has been criticised for being even more insecure than Flash. Until recently, it ran an outdated and, hence, woefully insecure version of Flash. Adobe claimed recently that the version of Flash used to run Shockwave animations has been brought up-to-date. However, security specialist Brian Krebs claims that this is not the case.

"I checked back with Adobe last week to find out whether the version of Shockwave that the company released earlier this month has caught up [in terms of] Flash flaws. Turns out, it's still woefully behind. The version of Shockwave released just two weeks ago bundles the Flash runtime 16.0.0.305, a version of Flash that Adobe released in February 2015," according to Krebs.

Adobe acknowledged the work of a number of individuals and organisations for highlighting the security flaws, including Ben Hayak, Malte Batram, Google Project Zero, HP, and China's TenCent, Qihoo and Alibaba.

The latest patches cap a busy summer for Adobe's developers, having been forced to introduce patches for security flaw after security flaw - most notably following the succesful attack on Italian surveillance software company Hacking Team. This revealed that Hacking Team had been using a number of zero-day flaws in Adobe Flash to help its clients bypass the security of their targets. The company was forced to rush out a patch.

Earlier in the year, Adobe Flash had been implicated in security flaws exploited by a Chinese hacking group, while in June it was revealed that a slew of Flash exploits had been incorporated into one of the latest malware kits being used to conduct ransomware attacks.

Adobe's Flash and Acrobat Reader browser plug-ins are popular targets for malware writers and hackers as they are almost ubiquitous, not just on PCs, but across computer platforms, including Mac and Linux.