bit-tech.net

Adobe warns of critical Flash vulnerability

Published on 8th February 2013 by Gareth Halfacree

If you've got Adobe Flash Player installed, you'd do well to grab the latest version as the company warns of yet another serious security flaw in the product.

Adobe has released a critical patch for serious security vulnerabilities in its Flash Player software, warning that OS X and Windows users are under active attack.

The patches, which Adobe recommends should be installed on all systems with Flash Player across Windows, OS X, Android and Linux platforms, address vulnerabilities in the software that are being actively exploited in the wild by ne'er-do-wells intent on taking over computers for their own nefarious ends.

'Adobe is also aware of reports that [the vulnerability] is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content,' the company admitted in its security bulletin on the matter.

The flaw can be exploited via a maliciously-crafted SWF file, either through the user's browser or embedded in files opened by other applications - as with the Word document example given by Adobe. When exploited, it allows the attacker full control over the client system using the privilege level of the affected user.

It's a serious flaw, but hardly the first: the ubiquity of Adobe Flash Player and its presence in most browsers, either as embedded code or as a plug-in module, make it a favourite of crackers and virus-spreaders across the world. A similar emergency patch was released in August last year, itself following multiple emergency patches dating back to the launch of the software. That's not even getting into the issue of Adobe Acrobat or the company's free Adobe Reader packages, which have their own troubled history.

Those who have Flash Player installed as a plug-in in their browser are advised to download and install the update as soon as possible, while users of Google Chrome and Microsoft Internet Explorer 10 will need to sit tight and wait for the companies to patch the built-in Flash Player code.

16 Comments

Discuss in the forums Reply

.//TuNdRa 8th February 2013, 12:18

I'm reading all this with the various different flash adverts going around the page. Way to make me paranoid, Bit.

Spraduke 8th February 2013, 12:22

Flashblock for Firefox is your friend.

Griffter 8th February 2013, 14:10

3rd!! :D

mdshann 8th February 2013, 18:05

flashblock is my savior. I even use it on Linux

theshadow2001 8th February 2013, 19:16

I wonder if it's even possible to have something which is as ubiquitous as flash with similar features but is much less open to exploits. Or is that just having cake and eating it too.

KidMod-Southpaw 8th February 2013, 20:33

God I love you flashblock.

Grandpa just rang up before with continuous warning messages on every common page such as Ebay, asking him permission to run flash player. Could this have anything to do with it?

ArcAngeL 8th February 2013, 21:48

Uninstall. It's time flash and java was no more. Html5 all the way.

theshadow2001 8th February 2013, 22:07

Quote:

Originally Posted by ArcAngeL
Uninstall. It's time flash and java was no more. Html5 all the way.

There's no doubting the security cluster **** that is java and flash is up there too. But what happens when html 5 becomes equally ubiquitous. The security holes will probably start getting poked in it quite quickly too.

KidMod-Southpaw 8th February 2013, 23:57

Every standard will come and go, they always do.

leexgx 9th February 2013, 15:59

if your using Chrome or Opera (and soon firefox) you can enable "Click to play" (under settings > adv > Content) or "Load Plug-in Only on demand" (tools > Pref > ADV > content) , that puts an Play icon on where the flash or Java object norm is (an side affect it also stops most ads from showing if they lack an static ad backup) i got an Play icon at the bottom of this forum right now (floating ad frame)

abezors 9th February 2013, 16:11

Quote:

Originally Posted by ArcAngeL
It's time flash and java was no more. Html5 all the way.

Agreed. Flash is a necessary evil until youtube goes fully HTML5 (currently they're beta testing it). Once youtube is converted, the rest of the web won't take too long I'd imagine.

It's quite unbelievable how something as badly performing as flash is still the go-to plugin. It brings single-core laptops to their knees

jrs77 9th February 2013, 16:19

Been saying for two years allready, that Flash and Java needs to go in favour of HTML5. Nobody really needs Flash and Java anyways, as you can do most of the stuff with pure HTML5 and CSS. The only reason for Flash still being around is the heavily used FLV.
Java is allready gone for the bigger part and only javascript is being used, but that doesn't require any PlugIns to begin with.

Hopefully youtube makes the transition to HTML5 sooner than later, as this will make Flash useless for the majority of users.

IvanIvanovich 9th February 2013, 20:56

There are still a lot of web games around that use flash and/or java though those could be replaced by webgl. Though I agree for many people flash has become nothing more than an annoying ad delivery system.

LightningPete 10th February 2013, 04:10

To be fair, the rest of you smashing Flash with the negative 'Ban' style hammer, you must remember 5-8 years ago it was a great piece of software that was used for a lot of things and we didnt exactly hate it then. If anything HTML5 is grown from the advantages of flash and java alike (in a way). And lets face it something that was used in a lot of applications and webpages is bound to be exploited at some point like EVERYTHING thats connected to the internet. HTML5 is not going to pretend like Mac and Apple nerds incorperated that they are invincible to flaws, viruses, exploits etc. As Humans and as everything above is designed by humans nothing is perfect from or by us. The fact they have addressed it is something rather than this being found 12 months later or something done about it at a far later date.

PingCrosby 10th February 2013, 19:47

Please do NOT flash in this weather as you will be left vulnerable due to the icy conditions, speaking as a professional flasher ( I was going to retire but thought I'd stick it out a while longer ) I know what I'm talking about.

Hakuren 11th February 2013, 20:14

Everybody responsible for conceiving, developing and implementing Flash should be burned alive, hanged, shot, chopped to tiny little bits and then fed to the sharks.

It just get me really turned on when Flash is running [e.g.] router management. It is simply retarded idea on WS without Flash which was on purpose removed or never existed in the first place...

BTW: I hate Flash since first day I seen that crap.