If you are a user of Adobe Flash, be sure to apply the latest security update if you want to avoid becoming part of an in-the-wild attack exploiting a vulnerability which currently seems to be exploiting users of Internet Explorer on the Windows platform only. Adobe has, however, issued an emergency security patch for Android, Linux and Mac users as well as those with Windows which kind of suggests it could be indicative of a wider problem with the software.

dweb-flash Adobe is recommending that any users of Flash Player v11.2.202.233 and earlier for Windows, Mac and Linux should update to v11.2.202.235 and Android 4.x users of v11.1.115.7 and earlier should update to 11.1.115.8, Android 3.x users of 11.1.111.8 should move to 11.1.111.9 while those users with the Google Chrome installed Flash Player need do nothing as the update will have been applied automatically.

The Adobe Security Bulletin (APSB12-09) is determined as being critical, with the object confusion vulnerability (CVE-2012-0779) being actively exploited in the wild as I write. The exploit will arrive in the form of an email with attachment, and infection can only occur if the user clicks on that attached file to execute it. Once again, it's a message to all those who have itchy link-clicking fingers not to blindly think everything you get sent in the mail is OK to look at.

Windows users who opted in to the recently introduced silent update feature will have been protected by the security update as soon as it was made available and need do nothing further in order to protect all web browser clients installed on their system.

Adobe advise users who are confused about which version of Flash they are currently running to access the 'About Flash Player' page or right-click on any content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. A check which will have to be applied for every browser you have installed if you have not applied that silent update feature on Windows.

126 Views
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

Had an interesting chat with a 'security researcher' friend of mine who pondered: is Adobe the new Microsoft as far as being sloppy on the security coding front is concerned, or should we really be pointing the finger of blame in the direction of JavaScript for the problems that both companies face with regards to browser-based exploits?