Flash Player update plugs exploited hole
Adobe has released updates for Flash Player closing seven holes in the application. Six of the holes can be exploited to allow an attacker to infect a PC using crafted web pages. The seventh is a cross site scripting hole that Adobe says is already being exploited in "active targeted attacks". The attacks, which are only aimed at Internet Explorer on Windows, try to trick the user into clicking on a malicious link. Adobe say the hole "could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website".
Flash Player version 184.108.40.206 and earlier on Windows, Macintosh, Linux and Solaris, version 220.127.116.11 and earlier for Android 4.x, and version 18.104.22.168 and earlier for Android 3.x and 2.x are all affected. Desktop Flash users should update to 22.214.171.124 by downloading it from Adobe's site. Android 4.x users should update to 126.96.36.199 and Android 3.x and 2.x users should update to version 188.8.131.52 by browsing to the Android Market Place for an update.
Google's Chrome browser, which embeds the Flash Player, has been updated to version 17.0.963.56 on Windows, Mac, Linux and Chrome Frame. The Chrome update also addresses thirteen high, medium and low severity security issues, eight of which paid out from $500 to $1337 in bug bounty rewards. Google Chrome updates should be automatically delivered to Chrome users.
- APSB12-03 - Security update available for Adobe Flash Player, Adobe security advisory