Sophos Cloud Optix
As happens every so often we have a critical fix being released on a day other than Patch Tuesday.
Adobe released an emergency update for its Flash Player plugin for Windows, OS X and Linux to fix a zero-day vulnerability.
The fix addresses CVE-2014-0497 a integer underflow vulnerability that can be used to achieve remote code execution.
Adobe reports that the vulnerability has been in use in the wild, meaning attackers are already aware of the flaw and actively exploiting it.
Adobe emphasizes that both Windows and OS X users should consider it priority 1, while Linux users can treat it as priority 3.
This suggests the attacks they have seen may be targeting both Mac and Windows users.
Flash Player is embedded into Google Chrome and Microsoft Internet Explorer 11 on Windows 8 and 8.1, so you will need to check for Chrome updates or Windows Updates for these browsers.
If you are a Linux user Flash is usually distributed by your distribution’s package manager where you normally receive updates.
Others can get the latest Flash versions from Adobe at http://get.adobe.com/flashplayer.
The patched versions for Windows and Mac are 12.0.0.44 and 11.7.700.261. Linux users should update to 11.2.202.336.
Note: Apple has released a plugin blocker update for OS X blocking the use of Flash Player releases previous to 12.0.0.44.
“The patched versions for Windows and Mac are 12.0.0.44”
Downloading from the Adobe site gives me (Win 7 Home)
12.0.0.44 for the “Other Browser” version (NPAPI), but
12.0.0.38 for the Internet Explorer version (ActiveX)
Is this the case?
Not that I can tell… Adobe specifically says versions below .44 are vulnerable. Are you running IE 11?
Here is what I get on IE 11 with Windows 7
https://cloud.zuzax.com/public.php?service=files&t=89c1189d9f3c8a6ebbc9676ae7ff0553
Further investigation: Looks like an oddity in Secunia PSI (2.0), I downloaded and then rescanned the specific item and got the version numbers reported above. Did a complete rescan and the ActiveX version disappeared altogether from the scan results. In the folder Flash32_12_0_0_44.ocx is showing, so it does look as if it has updated.
Please help! I do not understand what I need to do, if anything. I have Windows XP. Don’t know what else you might need to know to help me.
Probably upgrading Windows would be a good start. XP goes out of support in 62 days and counting…
Upgrade XP for a start! If your worried about this adobe update then I’m sure you will be a lot more worried come April/May when XP comes to end of life and won’t be getting anymore updates.
Buy a new computer! Windows XP is not supported in April! The OS is twelve years old! If you are worried about this Adobe problem you should be more worried about that April problem!
Jo
Just go to http://get.adobe.com/flashplayer and follow the instructions to update your version of Flash Player.
If you have autoupdate enabled, it will probably be updated already.
This update 12.0.0.44 is not very new. When I had downloaded it (for OS X) via your link http://get.adobe.com/flashplayer Abobe stated that it was created on 10th January.
Jo,
If you use Internet Explorer:
Start–>Control Panel–>Flash Player–>Advanced.
Change the Update settings to “Allow Adobe to install updates (recommended)”
Then you will always be up-to-date and you won’t need to do anything.
If you are using Chrome or Firefox, you are probably already getting automatic updates.
Updates not yet available for enterprise distribution as msi packages !!