Adobe today issued an out-of-band software update to fix dangerous security flaws in its Flash Player products, including at least one that is actively being exploited. Patches are available for versions of Flash on Windows, Mac, Linux, Solaris and Android operating systems.
Adobe said one of the bugs, a cross-site scripting flaw, is being exploited in the wild in targeted attacks to trick users into clicking on a malicious link delivered in an email message. At the moment there isn’t much more information about this vulnerability (other than Adobe credits Google with reporting it). That may soon change if news begin to surface about which organizations were targeted with the help of this flaw.
According to Adobe: “This universal cross-site scripting issue could be used to take actions on a user’s behalf on any website or webmail provider if the user visits a malicious website.”
This update applies to Flash Player 10.3.183.7 and earlier on Windows, Mac, Linux and Solaris systems, and Flash 10.3.186.6 for Android. Adobe’s bulletin says the company is fixing at least six different security flaws in this update. The latest version for Android devices is 10.3.186.7; for all others it is 10.3.183.10.
To find out which version of Flash you have, visit this page. Windows users who browse the Web with anything other than Internet Explorer will need to apply the Flash update twice, once using IE and again with the other browser (Google Chrome users should already have the latest version of Flash). To avoid using Adobe’s annoying Download Manager, IE users can grab the latest update directly from this link; the direct link for non-IE browsers is here.
Careful or you will get the Google toolbar with the Flash update. I’m usually very careful but I did not see the pre-check box for it this time.
I have to laugh when the Flash update page ask me if I’d like to include CHROME in my download package. Sure, why not add a 22MB browser to my 1.2MB plug-in…eeesh!
Thank you; your timely news are always helpful.
Thanks as always – I followed your link and nothing else got messed up.
“Windows users who browse the Web with anything other than Internet Explorer will need to apply the Flash update twice”
Is this true? I don’t think I have Flash installed in IE at all, so I only update once, for Firefox. Is there a Windows need for me to have Flash in IE?
Firefox is my current browser of choice.
Windows won’t let me use Firefox for updates. It forces me to use IE, so even though I only use it to go to Microsoft for updates, it had better also be secure, in case Microsoft is using Adobe Flash or anything else which needs patching.
While I am not currently using Safari, or Chrome, or whatever, I occasionally try them out. I am tempted to use Chrome for Google Plus.
Each browser which you use, is going to need these security fixes, because they are for your browser, not for your PC.
Check your add/remove programs (XP) or Programs and Features (Vista/7) – If you see Adobe Flash ActiveX then yes you need to either remove it or update it. Microsoft does not require Flash for any of their services.
Thanks, I see no Adobe Flash ActiveX in my add/remove programs, so I don’t need to install the IE update.
“about which organizations that were targeted with the help of this flaw”
Right!! Adobe Update Download includes a surprise … Google Chrome which, given a choice, I would have declined. So, being inclined to reject support for Google Mgmnt’s political inclinations, I ‘uninstalled’ it immediately. I do not wish to support their ‘progressive redistributive agenda’…
Once you’ve used Ninite to create a custom app updater, you’ll never feel the need to download another update from Adobe’s own site that may include additional toolbars or crapware.
See Ed Bott’s review:
Why the down votes here? Anyone care to explain? After reading a couple of reviews and visiting the site, seems like this would be useful to folks who manage Windows computers.
Who knows? Maybe they don’t like ZDNet?! Maybe they would rather just wait for Brian’s articles; which isn’t a bad idea.
I like File Hippo Update Checker, but this time Secunia PSI beat them both to the punch. PSI can automatically update some applications such as these.
Sometimes Secunia can beat the headlines.