Adobe has issued a critical software update for its Flash Player software that fixes at least a dozen security vulnerabilities in the widely-used program. Updates are available for Windows, Mac, Linux, Solaris and Android versions of Flash and Adobe Air.
The update fixes flaws present in Flash Player versions 188.8.131.52 and earlier for Windows, Mac, Linux and Solaris systems, and in Flash 184.108.40.206 and earlier for Android. The vulnerabilities are rated critical, meaning they could give hacked or malicious Web sites an easy way to install software on your machine.
Adobe’s advisory says users of Flash version 220.127.116.11 and earlier should update to v. 18.104.22.168; those using Flash v. 22.214.171.124 and earlier versions for Android should update to Flash Player 126.96.36.199. Users of AIR 3.0 for Windows, Macintosh, and Android should update to AIR v. 188.8.131.5280. The company says it is not aware of any active attacks against these flaws at this time.
To find out if you have Flash and which version may be installed, visit the About Flash page. Windows users who browse the Web with Internet Explorer and another browser may need to apply the Flash update twice, once using IE and again with the other browser (Google Chrome users should already have the latest version of Flash). Again, check the About Flash page with each browser you use to see whether you need to apply this update. To avoid using Adobe’s Download Manager, which tends to add little “extras” if you’re not careful, IE users can grab the latest update directly from these links; 32-bit IE installer, and 64-bit IE installer. Firefox and Opera users can grab the 32-bit installer here and the 64-bit version here. If you don’t know which one you need, just let Adobe’s site choose for you (although the download manager may try to foist other software unless you uncheck pre-checked options).
The installer for the latest Adobe Air version is available from this link.
Some Flash components also are bundled with Adobe Reader, so I asked Adobe whether current versions of Reader also were exposed to these vulnerabilities. Adobe spokeswoman Wiebke Lips confirmed that some of the issues fixed in today’s Flash Player update do impact the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.x) and 9.x for Windows and Mac. Lips said Adobe feels comfortable that its sandboxing technology built into the latest versions of Reader will protect users until January, when the company expects to issue the next quarterly update for Reader.
“These issues will be resolved in the next quarterly security update for Adobe Reader and Acrobat, currently scheduled for January 10, 2012,” Lips wrote. “Note that the Authplay.dll component is part of the ‘sandbox’ for users of Adobe Reader X (Protected Mode) and Acrobat X (Protected View), which would protect against potential exploits.”
Update: 11:34 p.m. ET: Updated the download links.