Adobe Systems Inc. is urging users of its Flash Player software to upgrade to a newer version released today. The company warns that an exploit targeting a previously unknown and critical Flash security vulnerability exists in the wild, and that this flaw allows attackers to take complete control over affected systems.
The latest versions that include the fix for this flaw (CVE-2014-0497) are listed by operating system in the chart below.
The Flash update brings the media player to version 184.108.40.206 for a majority of users on Windows and Mac OS X. This link will tell you which version of Flash your browser has installed. IE10/IE11 and Chrome should auto-update their versions of Flash to v. 220.127.116.11. If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser. The version of Chrome that includes this fix is 32.0.1700.107 for Windows, Mac, and Linux (to learn what version of Chrome you have, click the stacked bars to the right at of the address bar, and select “About Google Chrome” from the drop down menu).
The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).
Adobe did not include many details in its advisory about the nature of the attack that prompted this update, other than to credit two researchers from Kaspersky Lab for reporting the vulnerability. As such, this flaw may be related to this Feb. 3 blog post by Kaspersky, which references Adobe Flash in the context of a long-running cyber espionage campaign that Kaspersky has dubbed “The Mask”; the security firm says it plans to release more details about this campaign at its analyst summit next week.