Adobe has released a security update for its Flash Player to address a critical security vulnerability [CVE-2012-0779], which might allow an attacker to gain control of targeted systems. The company’s Security Bulletin [APSB12-09] says the following versions of the software are affected:
- Adobe Flash Player 220.127.116.11 and earlier versions for Windows, Macintosh and Linux operating systems
- Adobe Flash Player 18.104.22.168 and earlier versions for Android 4.x, and Adobe Flash Player 22.214.171.124 and earlier versions for Android 3.x and 2.x
Windows, Linux, and Mac OS X users can verify the version of Flash Player installed on their systems by visiting this Flash Player page on Adobe’s Web site. The version number of the update for these platforms is 126.96.36.199. Information on Android version numbers is in the Security Bulletin.
Windows users who have the silent update option enabled should receive the new version automatically. Windows or Mac OS X users can get the update using the update mechanism built into the software. Alternatively, the new version for Windows, Linux, and Mac OS X is available from Adobe’s download page. Windows users should remember that they may need two updates: one for Internet Explorer, and one for any other browser that they have installed.
According to the Security Bulletin, Flash Player bundled with Google Chrome was “updated automatically”. In the past, updates to the player have meant a new Chrome release; none has appeared so far. I’m trying to find out if this has actually changed, and will update this post when I get some definite information.
Flash, because it is so widely installed across multiple platforms, is an attractive target for the Bad Guys. There are reports that the vulnerability fixed in this update is already being exploited. At present, these attacks appear to target Internet Explorer on the Windows platform, but other systems are also potentially vulnerable. I recommend updating you system as soon as you conveniently can.