Flash Player vulnerable again a week after patching
Summary: Despite releasing a patch to mitigate vulnerabilities in Adobe Flash Player last week, the company has had to release another patch today, in response to six new vulnerabilities.
Adobe has released yet another security update for Flash Player, to address a new set of six vulnerabilities that even affect the company's most recent patch that was issued just last week.
Last week, Adobe urged Windows and Mac users to upgrade Flash Player to 11.3.300.271 and Linux users to upgrade to 11.2.202.238, to mitigate a vulnerability that was being exploited in the wild; victims would open a Microsoft Word document and become infected, or would be compromised via the ActiveX version of Flash Player for Internet Explorer. This vulnerability could cause the computer to crash and potentially allow attackers to take control.
Today, Symantec confirmed that attacks were indeed being carried out, observing over 1300 instances of malicious emails since 10 August. It pointed users to the 11.3.300.271 patch and urged them to keep their systems up to date.
But this patch is no longer effective against yet another set of vulnerabilities that affect all versions of Flash Player, including Android 4.x, 3.x and 2.x. Like the previous vulnerability, these could allow attackers to crash and take control of the targeted computer or device and has earned Adobe's highest severity rating of critical, leading Adobe to release a new patch only a week after the last.
Adobe has assigned the new Windows patch with a Priority 1 rating. This means that the company believes that the vulnerability is either being targeted, or has a high risk of being targeted, by an exploit that is available in the wild. It recommends updating to the newer 11.4.402.265 version of Flash Player as soon as possible.
The patch for Macs has a lower Priority 2 rating, meaning there are no known exploits in the wild, while Linux and Android have been assigned Priority 3. Adobe suggests users use their own discretion for these systems, as they are typically not targeted.
Adobe also released critical patches for its Windows, Macintosh, Android and the SDK (which includes AIR for iOS) versions of Adobe AIR, with a Priority 3 rating.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Users should dump Flash player
Users should dump Flash player
I Dumped Flash
I do miss the daily/weekly patches (sic)...
Funny, I just blogged on Flash offline installer (un)availability...
http://cquirke.blogspot.com/2012/08/flash-offline-installers.html
...referring to an excellent blog post I read here:
http://www.pretentiousname.com/flash_links/index.html
Best practice is to patch a "great unwashed" PC before it goes online for the first time, hence a reason to prefer offline installers. Another is that sometimes the online installer fails to download as expected.
That is what happened to me this morning - I knew I'd recently updated Flash, so when today's startup showed the "get Flash update" dialog, and it failed to find its target, I wondered if I'd been scammed. But a search showed there was indeed a new Flash... and then the fun started, trying to find an offline installer for it. Many of the links I found, were to a version even older than the last "update or else" version.
Is it only a Flash vulnerability?
Note the problem is level 1 for Windows users, level 2 for Mac, level 3 for *nix.
So if you are a Windows user that doesn't use Office (or turns off scripting/macro execution in Office/Word) or IE, what's your risk? FF, Chrome, etc. don't use ActiveX version of Flash.
They need to migrate Flash to HTML5.