Adobe has released an emergency update for its Flash Player that fixes a security bug that's being actively exploited to hijack Windows computers running the ubiquitous software.
The "object confusion vulnerability" resides in all Flash versions, including those for devices running Mac OS X, Linux, Google's Android OS, and Windows, Adobe said in an advisory published Friday. The bug "is being exploited in the wild in active targeted attacks designed to trick the users into clicking on a malicious file delivered in an e-mail message," it went on to say, citing reports received from Microsoft. The exploits target Flash on Internet Explorer for Windows only.
While attacks are limited to Windows users and appear to be highly selective in who is targeted, people running other systems, particularly Macs, should install the security fix immediately. As the 600,000 or so Mac-using victims of the Flashback malware learned last month, Apple's OS X is becoming a viable target now that its market share has risen to levels that make it worth an attacker's time. The experience shows that determined hackers can exploit any unpatched platform and that complacency about installing updates is one of the biggest obstacles to securing a system.
Those running Flash Player 22.214.171.124 and earlier on Windows, Mac, and Linux; versions 126.96.36.199 or earlier on Android 4.x; and versions 188.8.131.52 on Android 3.x and 2.x should update at once. To find out what Flash version a device uses, users can visit this link. Adobe still hasn't made its patching system as simple as it needs to be for it to be widely used, but it's getting better. Windows users now have the ability to receive updates relatively seamlessly, and a separate version of Flash for Google's Chrome browser for all operating systems also updates automatically. Those on other platforms still must manually install fixes.