This is getting out of hand. For the second time this month, Adobe has issued an urgent warning telling users of its Flash plug-in to download a patch as soon as possible to avoid dangerous attacks by hackers.
Tuesday’s surprise update patches holes "that could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said in a security bulletin. Although anyone who runs flash on a PC or Mac should install the patch as soon as possible, it’s even more urgent to do so if you’re using Mozilla’s Firefox browser, Adobe said.
The vulnerabilities found by Adobe are designed to trick users into clicking on links that redirect them to a website carrying malicious Flash content. The company assigned the vulnerabilities its highest threat level -- Priority 1 – which identifies "vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild."
The security bulletin lists versions of Flash that are vulnerable and need to be updated. Rather than wade through the list and try to figure what version your system is running, I’d suggest just downloading the update, which you can find here.
One caution: Adobe’s download page will, by default, also serve up a copy of McAfee Security Plan Plus. If you don’t want it, be sure to uncheck the box. That, by the way, is one of my pet peeves. Hitchhiking apps should not be installed by default; that box should be unchecked by default, but since Adobe profits by the arrangement, don’t expect the company to change its policy any time soon.
The update is Adobe's third this month and its second emergency update in less than three weeks. A fix for two zero-day threats issued on February 8 addressed vulnerabilities that affected all versions of Flash on Windows, Mac, Linux, and Android. (A zero-day attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on "day zero" of awareness of the vulnerability.)
According to the Kaspersky ThreatPost blog on the February 8 incidents, one of the attack targets "aerospace and other manufacturing companies" by tricking people into opening a Microsoft Word document with malicious Flash content embedded in it. The second targets Firefox and Safari on Mac OS X by tricking users into visiting Web sites hosting malicious Flash content, and it aims at Windows users by way of a Microsoft Word attachment delivered via e-mail.
In case you've forgotten, there's a reason why Steve Jobs wouldn't allow Flash on iPhone and iPads. These repetitive vulnerabilites are exactly what the late Apple CEO wanted to avoid and why HTML 5 will eventually make Flash obsolete.
Then, of course, we had the totally separate, but equally unsettling, attacks on Oracle’s Java last month.All this makes me want to find a typewriter, tip the newspaper boy, and crank up the old transistor radio.
Flash image courtesy of win.downloadatoz.com