Adobe has issued a critical security update for its ubiquitous Flash Player software. The patch plugs at least seven security holes, including one reported by Google that is already being used to trick users into clicking on malicious links delivered via email.
In an advisory released Wednesday afternoon, Adobe warned that one of the flaws — a cross-site scripting vulnerability (CVE-2012-0767) reported by Google — was being used in the wild in active, targeted attacks designed to trick users into clicking on a malicious link delivered in an email message. The company said the flaw could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website. A spokesperson for the company said this particular attack only works against Internet Explorer on Windows.
Adobe is urging users of Adobe Flash Player 220.127.116.11 and earlier versions for Windows, Macintosh, Linux and Solaris to update to Adobe Flash Player 18.104.22.168. Users of Adobe Flash Player 22.214.171.124 and earlier versions on Android 4.x devices should update to Adobe Flash Player 126.96.36.199. Users of Adobe Flash Player 188.8.131.52 and earlier versions for Android 3.x and earlier versions should update to Flash Player 184.108.40.206.
To find out what version of Flash you have installed, visit this page. Users can grab the latest version from the Adobe Flash Player Download Center, although if you’re not careful to untick the check box next to whatever “optional” goodies Adobe tries to bundle with Flash Player (the most common is McAfee Security Scan Plus) you could end up with more than you wanted. Thankfully, Adobe no longer appears to make you first install its annoying Download Manager to grab the latest Flash version, or at least it didn’t when I fetched the update today.
Windows users who browse the Web with Internet Explorer and another browser may need to apply the Flash update twice, once using IE and again with the other browser. Chrome users should already have this update, as Chrome auto-installs Flash updates – often hours or days before the fixes are publicly released for download.