Adobe fixes critical Flash flaw

Filed Under: Adobe, Adobe Flash, Featured, Vulnerability

adobe-flash-patch-170As happens every so often we have a critical fix being released on a day other than Patch Tuesday.

Adobe released an emergency update for its Flash Player plugin for Windows, OS X and Linux to fix a zero-day vulnerability.

The fix addresses CVE-2014-0497 a integer underflow vulnerability that can be used to achieve remote code execution.

Adobe reports that the vulnerability has been in use in the wild, meaning attackers are already aware of the flaw and actively exploiting it.

Adobe emphasizes that both Windows and OS X users should consider it priority 1, while Linux users can treat it as priority 3.

This suggests the attacks they have seen may be targeting both Mac and Windows users.

Flash Player is embedded into Google Chrome and Microsoft Internet Explorer 11 on Windows 8 and 8.1, so you will need to check for Chrome updates or Windows Updates for these browsers.

If you are a Linux user Flash is usually distributed by your distribution's package manager where you normally receive updates.

Others can get the latest Flash versions from Adobe at http://get.adobe.com/flashplayer.

The patched versions for Windows and Mac are 12.0.0.44 and 11.7.700.261. Linux users should update to 11.2.202.336.

Note: Apple has released a plugin blocker update for OS X blocking the use of Flash Player releases previous to 12.0.0.44.

, , , , ,

You might like

13 Responses to Adobe fixes critical Flash flaw

  1. Flickerman · 267 days ago

    "The patched versions for Windows and Mac are 12.0.0.44"

    Downloading from the Adobe site gives me (Win 7 Home)
    12.0.0.44 for the "Other Browser" version (NPAPI), but
    12.0.0.38 for the Internet Explorer version (ActiveX)

    Is this the case?

  2. Jo Pounders · 267 days ago

    Please help! I do not understand what I need to do, if anything. I have Windows XP. Don't know what else you might need to know to help me.

    • Guy · 267 days ago

      Probably upgrading Windows would be a good start. XP goes out of support in 62 days and counting...

    • Anonymous · 266 days ago

      Upgrade XP for a start! If your worried about this adobe update then I'm sure you will be a lot more worried come April/May when XP comes to end of life and won't be getting anymore updates.

    • Blake · 266 days ago

      Buy a new computer! Windows XP is not supported in April! The OS is twelve years old! If you are worried about this Adobe problem you should be more worried about that April problem!

    • MikeP_UK · 266 days ago

      Jo

      Just go to http://get.adobe.com/flashplayer and follow the instructions to update your version of Flash Player.

    • a_v · 266 days ago

      If you have autoupdate enabled, it will probably be updated already.

  3. 4caster · 266 days ago

    This update 12.0.0.44 is not very new. When I had downloaded it (for OS X) via your link http://get.adobe.com/flashplayer Abobe stated that it was created on 10th January.

  4. Laurence Marks · 266 days ago

    Jo,
    If you use Internet Explorer:
    Start-->Control Panel-->Flash Player-->Advanced.
    Change the Update settings to "Allow Adobe to install updates (recommended)"
    Then you will always be up-to-date and you won't need to do anything.

    If you are using Chrome or Firefox, you are probably already getting automatic updates.

  5. The croW · 266 days ago

    Updates not yet available for enterprise distribution as msi packages !!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.