Time to update your Adobe Flash Players! Adobe has released Flash Player 10.1.85.3 for Windows, Macintosh, Linux and Solaris and 10.1.92.10 for Android (Froyo). As in the past follow the usual procedure to update by visiting http://get.adobe.com/flashplayer. Android users can visit the Android Market to download the update as well. iPhone users, sorry no Flash for you!
This is a critical fix that I highly recommend you install immediately. This attack has been used in the wild since at least early September. Updates for Adobe Reader and Acrobat fixing this flaw and others will be released on October 4th.
Interestingly Google Chrome users received the updated version of Flash in an update that occurred automatically on Friday September 17th. I am quite a big fan of the integrated PDF viewing, Flash and other addons in Chrome that are always transparently updating. While Firefox is good at notifying me about out of date plugins and automatically downloading browser releases, Chrome makes it even more transparent. It does make testing vulnerabilities more difficult, but considering that is a bit of a niche problem, I can deal with it.
If you are a Linux user running a 64 bit variant Adobe has also released a beta release of Flash player compiled for x64 architecture.
For you Apple lovers who may be disappointed that your phone isn’t vulnerable, don’t worry. Apple has released a patch for OS X Snow Leopard today that fixes a flaw in the Apple Filing Protocol. This is a critical fix as it allows unauthenticated access to AFP file shares on Snow Leopard computers. To apply the fix simply click the Apple in the upper-left corner and choose Software Update.
If you are interested in learning more about how cybercriminals are taking advantage of Adobe Reader and Acrobat check back here late next week. Sophos’s Paul Baccas from SophosLabs UK will be presenting his paper “Finding rules for heuristic detection of malicious PDFs: with analysis of embedded exploit code” at the Virus Bulletin 2010 conference.