Flash under attack, emergency patch issued: Update immediately

Flash under attack, emergency patch issued: Update immediately

Summary: The Flash developer is rolling out an emergency update to the world's most popular Web plug-in for two vulnerabilities, that are currently being actively exploited by hackers.

TOPICS: Security

Adobe has issued an emergency fix for Flash to prevent two ongoing malware attacks against the world's most popular Web plug-in.

In an advisory note, Adobe announced the latest release of Flash Player 11.5, which will patch two security zero-day vulnerabilities that are actively being used by hackers and malware writers to spread malware. 

While Flash users of Windows and OS X are understood to be focus of the attacks, the release of the unscheduled security fix is also available for Linux users and Android devices.

According to Adobe, the OS X exploit targets Safari and Firefox users and delivers malware via malicious Flash content hosted on Web sites. A separate flaw could dupe Windows users into opening Microsoft Word documents as email attachments that contain malicious Flash content.

Users are being warned to update their software as soon as possible, by going to Adobe's Web site, or using the in-built updater in the Windows Control Panel or OS X's System Preferences.

Thursday's security advisory brings the following Flash versions up to date affects the following versions of Flash:

  • Adobe Flash Player 11.5.502.146 and earlier versions for Windows and OS X;
  • Adobe Flash Player and earlier versions for Linux;
  • Adobe Flash Player and earlier versions for Android 4.x;
  • Adobe Flash Player and earlier versions for Android 3.x and 2.x.

Once the update is installed, you can verify that the latest version is installed by using the online Adobe version information tool.

But by the fact that one of the exploits targets Firefox users on OS X may lead to questions being asked of the Web browser's maker, Mozilla. 

Late January, Mozilla said it would block plug-ins in its Firefox Web browser in order to bolster security. With Firefox's new "Click to Play," feature, users must click on the plug-in to activate it, preventing malware from being installed on users' machines automatically from accessing malware-rigged Web sites.

Web plug-ins such as Microsoft Silverlight, Adobe Reader, Apple's QuickTime and Oracle's Java were blocked in the latest browser update, but Flash was mysteriously left off the list. No explanation was given from Mozilla's director of security assurance Michael Coates in a recent blog post, except that the "plan is to enable Click to Play for all versions of all plugins except the current version of Flash."

Adobe acknowledged Kaspersky Labs, the Shadowserver Foundation, MITRE, and defense giant Lockheed Martin's computer security team for their help in discovering the vulnerabilities.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Subtle attempt at pointing the blame there..

    No, lets really point the blame where it is. Adobe. Why wont this also lead to "questions being asked of the operating system's maker, Apple".

    May as well go all the way to the bottom of the stack, "yep, the payload is compiled in x86, questions should be asked to Intel". Intel declined to comment no doubt because of how unrelated the problem is.

    The attack vector (flash) and the access mechanism (browser) are two very different things. Point the blame where the problem really is instead of misdirecting it to other parties.

    Well, you got me to comment, i guess your job is done.
  • date of alert

    I find your alert quite embarrassing.
    My copy of flashplayer 11.5.502.146 for Windows has a timestamp of Jan 9 2013.
    Imho you're a month late.
    • Read the post properly

      It say brings the following (obsolete - implied) versions up to date. He does not say these are the up to date versions
      Alan Smithie
      • the following versions

        it's still quite poor to *not* mention what to expect after the update.
        I'd have to first call adobe's version checker to see what I have and then second do further research to find out what I *ought* to have.
        I expect the current version that I should update to to be listed on a professional's webite.
        It is ridiculous to tell me "Adobe has updated flash to 11.5" and then only list the earlier obsoleted versions.
      • Hmm.

        I've changed the wording around a bit. I can see now (when it's not 11 p.m...) that it could've been a bit confusing. Hopefully that clarifies.
    • Get mirror. Look into it. See embarrassment.

      Would someone please hold this guy's hand to help him cross the Flash Player street?
      • Why are you making excuses for this garbage

        Flash, Java and IE are full of security holes galore. Time to retire this crap.
  • current versions please

    Windows 11.5.502.149
    Android 4.x
    Android 2.x, 3.x
    Google Chrome and Internet Explorer update their embedded flash player automatically
    • Regarding IE

      Your last comment must only apply to IE10, all previous versions require manual updating.

      And I have NEVER had the Adobe automatic updater actually do an automatic update prior to getting a notification via tech websites or Secunia PSI that there is a security patch available.
  • For FF users living under a stone

    Install noscript and adblock
    Alan Smithie
    • RE: Install noscript and adblock

      Then, for NoScript:

      1. open the NoScript "Options ..." (with a right-click on the NoScript icon),
      2. click the "Embeddings" tab,
      3. check the "Forbid Adobe Flash" check box (allowed by default) and
      4. manage your 'frequently visited' (in lieu of 'trusted') web sites with NoScript's WhiteList.

      Because installing NoScript isn't enough. Proper use of NoScript will reduce one's Firefox attack surface considerably.
      Rabid Howler Monkey
      • Thank you

        your added instructions will help many users.
  • Microsoft is quicker than ever too

    Windows Update for Windows 8 patched it right away, a good thing even if I use Chrome for most of the time, though Google didn't tell me a thing.
  • I just stop using plugins

    A couple weeks ago as Firefox started releasing Firefox with no plugins I realized that this was the only real way to move on beyond plugins. If a majority stopped using them then the web sites would begin to move on also and adapt quickly to HTML5. It would also push users who are stuck in the past to either update or face the fact that their system won't work on a modern internet. Their will never be any plugin that is going to ever be secure for very long.
  • emergency update to the world's most popular Web plug-in


    Gee, I didn't know that.
  • And Guess who has been Warning us for Years about Flash...

    Lots of security experts have been warning us for years that Flash was a security nightmare, just waiting to cause us major problems. Why, I wouldn't be surprised if some techie-buddhists thought Steve Jobs was going to escape the wheel of incarnation and go straight to Nirvana for warning us against it all these years;)
  • Adobe, Adobe

    Your code is so dopey.
  • Flash...

    You would think by now the reliance on Flash would be a lot less. Just today I went to a corporate website which requires Flash for everything except the main menu. I couldn't even send a message to anyone at that company or the webmaster. Anyway the sooner Adobe Flash dies the better.