Flash Player vulnerable again a week after patching

Flash Player vulnerable again a week after patching

Summary: Despite releasing a patch to mitigate vulnerabilities in Adobe Flash Player last week, the company has had to release another patch today, in response to six new vulnerabilities.

SHARE:

Adobe has released yet another security update for Flash Player, to address a new set of six vulnerabilities that even affect the company's most recent patch that was issued just last week.

Last week, Adobe urged Windows and Mac users to upgrade Flash Player to 11.3.300.271 and Linux users to upgrade to 11.2.202.238, to mitigate a vulnerability that was being exploited in the wild; victims would open a Microsoft Word document and become infected, or would be compromised via the ActiveX version of Flash Player for Internet Explorer. This vulnerability could cause the computer to crash and potentially allow attackers to take control.

Today, Symantec confirmed that attacks were indeed being carried out, observing over 1300 instances of malicious emails since 10 August. It pointed users to the 11.3.300.271 patch and urged them to keep their systems up to date.

But this patch is no longer effective against yet another set of vulnerabilities that affect all versions of Flash Player, including Android 4.x, 3.x and 2.x. Like the previous vulnerability, these could allow attackers to crash and take control of the targeted computer or device and has earned Adobe's highest severity rating of critical, leading Adobe to release a new patch only a week after the last.

Adobe has assigned the new Windows patch with a Priority 1 rating. This means that the company believes that the vulnerability is either being targeted, or has a high risk of being targeted, by an exploit that is available in the wild. It recommends updating to the newer 11.4.402.265 version of Flash Player as soon as possible.

The patch for Macs has a lower Priority 2 rating, meaning there are no known exploits in the wild, while Linux and Android have been assigned Priority 3. Adobe suggests users use their own discretion for these systems, as they are typically not targeted.

Adobe also released critical patches for its Windows, Macintosh, Android and the SDK (which includes AIR for iOS) versions of Adobe AIR, with a Priority 3 rating.

Topics: Security, Web development

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • Users should dump Flash player

    If people were smart they would uninstall Flash player or disable it. If enough were to do this I think Adobe would retire it and web site would stop including it. At first I thought I could not get by without it. But after a while I did decide it was something I could live without.
    jscott418-22447200638980614791982928182376
  • Users should dump Flash player

    If people were smart they would uninstall Flash player or disable it. If enough were to do this I think Adobe would retire it and web site would stop including it. At first I thought I could not get by without it. But after a while I did decide it was something I could live without.
    jscott418-22447200638980614791982928182376
  • I Dumped Flash

    I uninstalled Flash about a year ago and have (almost) never looked back. I would go as far as to say that without it, I'm more productive.

    I do miss the daily/weekly patches (sic)...
    Gr8Music
  • Funny, I just blogged on Flash offline installer (un)availability...

    Funny, I just blogged on Flash offline installer availability here...

    http://cquirke.blogspot.com/2012/08/flash-offline-installers.html

    ...referring to an excellent blog post I read here:

    http://www.pretentiousname.com/flash_links/index.html

    Best practice is to patch a "great unwashed" PC before it goes online for the first time, hence a reason to prefer offline installers. Another is that sometimes the online installer fails to download as expected.

    That is what happened to me this morning - I knew I'd recently updated Flash, so when today's startup showed the "get Flash update" dialog, and it failed to find its target, I wondered if I'd been scammed. But a search showed there was indeed a new Flash... and then the fun started, trying to find an offline installer for it. Many of the links I found, were to a version even older than the last "update or else" version.
    cquirke
  • Is it only a Flash vulnerability?

    The article also says either the activeX version for Internet Explorer or a Microsoft Word document is necessary for the exploit to execute. Which begs the question, is MS opening the door that helps hackers exploit the Flash vulnerability?

    Note the problem is level 1 for Windows users, level 2 for Mac, level 3 for *nix.

    So if you are a Windows user that doesn't use Office (or turns off scripting/macro execution in Office/Word) or IE, what's your risk? FF, Chrome, etc. don't use ActiveX version of Flash.
    djchandler
  • They need to migrate Flash to HTML5.

    But it will take awhile for websites that have Flash content to migrate to HTML5. I wish Adobe or someone would have a way to easily convert Flash content to HTML5 properly & securely so that any content will act & feel the same and it will be secure from hackers.
    phatkat