Good news for the many users of Flash out there – Adobe has issued a fixed version (184.108.40.2065) which reportedly fixes a vulnerability that has been exploited by web adverts on sites such as DailyMotion.
The vulnerability, which exists in all supported platforms including Windows, Mac OS X and Linux, is known as CVE-2015-0313, and was being actively exploited by hackers who were installing malware on visiting computers running Internet Explorer and Firefox on Windows 8.1 and earlier.
According to an updated Adobe security advisory, automatic updates began rolling out yesterday:
Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 220.127.116.115 beginning on February 4. This version includes a fix for CVE-2015-0313. Adobe expects to have an update available for manual download on February 5, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11.
Sure enough, when I checked my Mac System Preferences I was able to determine that Flash had automagically updated itself without me having to do anything.
You can check which version of Flash you have installed on your computer here.
Earlier this week I explained how to enable click to play in your web browser to prevent Flash elements from automatically running when you visit a webpage which contains Flash content – and this continues to be a good idea to better protect yourself from future attacks.
The sad truth is that this is just the latest in a series of recently-discovered exploitable vulnerabilities in Flash. It’s not going to be the last. Chances are that there is another zero-day vulnerability in Adobe Flash just around the corner.
Protect yourself now by either removing Flash from your computers or (if as is likely) you decide that’s unviable, enabling “Click to Play” to give your computers an additional layer of protection against Flash attacks.
Alternatively, keep your head in the sand and sing along with the following…