Flash under attack, emergency patch issued: Update immediately

Adobe has issued an emergency fix for Flash to prevent two ongoing malware attacks against the world's most popular Web plug-in.

In an advisory note, Adobe announced the latest release of Flash Player 11.5, which will patch two security zero-day vulnerabilities that are actively being used by hackers and malware writers to spread malware. 

While Flash users of Windows and OS X are understood to be focus of the attacks, the release of the unscheduled security fix is also available for Linux users and Android devices.

According to Adobe, the OS X exploit targets Safari and Firefox users and delivers malware via malicious Flash content hosted on Web sites. A separate flaw could dupe Windows users into opening Microsoft Word documents as email attachments that contain malicious Flash content.

Users are being warned to update their software as soon as possible, by going to Adobe's Web site, or using the in-built updater in the Windows Control Panel or OS X's System Preferences.

Thursday's security advisory brings the following Flash versions up to date affects the following versions of Flash:

• Adobe Flash Player 11.5.502.146 and earlier versions for Windows and OS X;
• Adobe Flash Player 11.2.202.261 and earlier versions for Linux;
• Adobe Flash Player 11.1.115.36 and earlier versions for Android 4.x;
• Adobe Flash Player 11.1.111.31 and earlier versions for Android 3.x and 2.x.

Once the update is installed, you can verify that the latest version is installed by using the online Adobe version information tool.

But by the fact that one of the exploits targets Firefox users on OS X may lead to questions being asked of the Web browser's maker, Mozilla. 

Late January, Mozilla said it would block plug-ins in its Firefox Web browser in order to bolster security. With Firefox's new "Click to Play," feature, users must click on the plug-in to activate it, preventing malware from being installed on users' machines automatically from accessing malware-rigged Web sites.

Web plug-ins such as Microsoft Silverlight, Adobe Reader, Apple's QuickTime and Oracle's Java were blocked in the latest browser update, but Flash was mysteriously left off the list. No explanation was given from Mozilla's director of security assurance Michael Coates in a recent blog post, except that the "plan is to enable Click to Play for all versions of all plugins except the current version of Flash."

Adobe acknowledged Kaspersky Labs, the Shadowserver Foundation, MITRE, and defense giant Lockheed Martin's computer security team for their help in discovering the vulnerabilities.