arstechnica.com - 1 year ago

Emergency Flash update fixes security bug being used to hijack PCs

businessbrief.png

Adobe has released an emergency update for its Flash Player that fixes a security bug that's being actively exploited to hijack Windows computers running the ubiquitous software.

The "object confusion vulnerability" resides in all Flash versions, including those for devices running Mac OS X, Linux, Google's Android OS, and Windows, Adobe said in an advisory published Friday. The bug "is being exploited in the wild in active targeted attacks designed to trick the users into clicking on a malicious file delivered in an e-mail message," it went on to say, citing reports received from Microsoft. The exploits target Flash on Internet Explorer for Windows only.

While attacks are limited to Windows users and appear to be highly selective in who is targeted, people running other systems, particularly Macs, should install the security fix immediately. As the 600,000 or so Mac-using victims of the Flashback malware learned last month, Apple's OS X is becoming a viable target now that its market share has risen to levels that make it worth an attacker's time. The experience shows that determined hackers can exploit any unpatched platform and that complacency about installing updates is one of the biggest obstacles to securing a system.

Those running Flash Player 11.2.202.233 and earlier on Windows, Mac, and Linux; versions 11.1.115.7 or earlier on Android 4.x; and versions 11.1.111.8 on Android 3.x and 2.x should update at once. To find out what Flash version a device uses, users can visit this link. Adobe still hasn't made its patching system as simple as it needs to be for it to be widely used, but it's getting better. Windows users now have the ability to receive updates relatively seamlessly, and a separate version of Flash for Google's Chrome browser for all operating systems also updates automatically. Those on other platforms still must manually install fixes.

Users can download the updates here, except for Android users, who must get them from Google Play.

Read the comments on this post

Top News