Adobe patches critical vulnerabilities in Flash Player

Adobe Flash Player (formerly Macromedia Flash) is a browser plug-in/add-on module that displays active "Flash" multimedia content in web pages. This active content can include audio, video, hyperlinks, and JavaScript. It is thought that Flash Player is installed in over 90% of the personal computers that connect to the Internet. For instance, if you watch YouTube videos on your PC you are doing so via a Flash Player plug-in. Got the picture? So do the bad guys, who are always looking for ways to hijack your PC through Flash vulnerabilities! Some of these vulnerabilities include the ability to forcefully redirect a browser to a hostile file location and download it without the user's knowledge, then execute it. This is currently being exploited by means of specially crafted Flash advertisements made by cyber criminals.

On February 24, 2009, Adobe Flash Player was patched to fix 5 critical vulnerabilities that could allow complete system takeover, without user interaction. This time it not only affects Windows computers, but also Mac OS X and Linux PCs. The new, patched version of Adobe Flash Player is 10.0.22.87. This patch must also be installed into the Adobe CS 4 Flash creation program, if you are a Flash content developer.

Here is a summary of the security advisory published on February 24, 2009...

Adobe Security Advisory APSB09-01

"A potential vulnerability has been identified in Adobe Flash Player 10.0.12.36 and earlier that could allow an attacker who successfully exploits this potential vulnerability to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit this potential vulnerability. Additional vulnerabilities have been addressed in this update. Adobe recommends users update to the most current version of Flash Player available for their platform."

Affected software versions:
Adobe Flash Player 10.0.12.36 and earlier (Adobe Flash Player 10.0.15.3 and earlier for Linux).

Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87 by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted. Only download the Flash Player and its updates from adobe.com! Cyber criminals try to fool people into installing fake Flash players as a means of distributing Botnet Trojans and fake anti virus products.

For users who cannot update to Flash Player 10, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.159.0, which you can download from this link.

If you use more than one browser you must install the update in each browser separately, by visiting the above-listed download page, as different browsers need different types of Flash. For instance, Interenet Explorer uses an ActiveX version of Flash Player, while Firefox, Opera and others use a browser plug-in version. After you install the update you must restart your browser for the update to "take." This flushes out the [previous version and registers the new one.

After restarting your browser you should go to the About Flash Player page to ensure that you now have the current version installed. I also recommend that you use the Secunia Online Software Inspector scanner to make sure all of your browser's add-ons are up to date, as well as your operating system patches.

I would like to close by stating that users who operate their computers with less than administrator privileges are less at risk from these browser plug-in exploits. Read my recent article about how running your PC with reduced user privileges stops up to 92% of malware infections and its related, linked-to articles.