Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Public Service Announcement - Update your Adobe Flash Player

Options
  • 28-05-2008 7:13pm
    #1
    Chong
    Registered Users Posts: 8,676 ✭✭✭


    Basically update Adobe Flash Player quick, big hoo ha today where I work about below. Seen as we all use youtube I thought it would be good to get ppl informed.
    If you have not yet applied the patch that Adobe released last month to plug security holes in its Flash Player, do not procrastinate further: Security experts warn that a growing number of Web sites are using Flash vulnerabilities to install password-stealing software when users visit them with unpatched Web browsers.

    It's not entirely clear whether the attackers are taking advantage of a brand new flaw, or one that Adobe already fixed.

    Symantec, McAfee, the SANS Internet Storm Center and some independent researchers raised the alarm on Tuesday, indicating that hackers were exploiting a previously undocumented and unpatched flaw in Flash.

    Further analysis of the sites distributing the malicious code suggests that the attack does not work against the latest version of Flash for either Internet Explorer or Firefox. So, users with the latest version of Flash should be protected from this attack.

    Symantec's initial writeup clashed with the conclusions I heard about Tuesday afternoon from researchers at Reston, Va., based iDefense. Matt Richard, director of rapid response for iDefense, told me the exploit appears to mimic a method written about in a white paper published last month by Mark Dowd, a researcher at IBM's Internet Security Systems.

    Symantec updated its initial advisory late Tuesday evening, to confirm that the bad guys indeed appear to have adopted the technique Dowd described. But Symantec says it is still working with Adobe to identify the precise details, "due to the fact that we have observed the malicious files affecting patched versions of Flash, suggesting it may be a variant or incorrectly patched."

    Richard said it looks like attackers first started exploiting this Flash flaw as early as May 24, and that the number of Web sites (both malicious and hacked) hosting or pointing to sites hosting the code is multiplying quickly.

    A spokesperson for Adobe declined to comment for this story, except to say the company was working with Symantec to investigate the vulnerability and that Adobe would likely have more details to share later today. I'll update this post in the event they release anything substantive.

    For now, even if you think you already patched your browser with the latest Flash update -- it's a good idea to go ahead and double check that all of your browsers are up-to-date. Installing Flash on Internet Explorer is a separate process than installing it on Firefox and Opera, so just because you installed it for Opera or Firefox doesn't mean you've installed it for IE as well, and vice-versa.

    To check your version, visit Adobe's "About Flash" page with all browsers you use regularly to make sure the version number says you are running Flash Version 9.0.124.0.

    If you are running a version of Flash that is anything less than 9.0.124.0 (i.e., a lower version number, such as 9.0.115.0 or 9.0.47.0), I would strongly advise you to update it now. Visit this link with whichever browser is outdated, and it should present you with the latest version to install for that browser type.

    Of course, the "noscript" add-on for Firefox can give users of that browser greater control over which sites should be allowed to serve Flash by default.

    Update, May 28, 12:56 p.m. The SANS Internet Storm Center updated its advisory on this attack today, saying the exploits found in the wild do not appear to attack a new vulnerability. A Storm Center incident handler I chatted with confirmed that none of the exploits spotted so far work against the latest, patched version of Flash, version 9.0.124.0.

    http://blog.washingtonpost.com/securityfix/2008/05/exploit_inthewild_patch_your_f.html?nav=rss_blog

    Check your version:

    http://www.adobe.com/products/flash/about/

    Download latest version:

    http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash


Comments

Advertisement