Adobe has just released an update (APSB11-26) to its ubiquitous Flash software, revving it to version 10.3.183.10 for Windows, Mac, Solaris and Linux, and to version 10.3.186.7 for Android.
Today’s release fixes six vulnerabilities in Flash Player, one of which was being used in targeted attacks (CVE-2011-2444). This bug is a cross-site scripting flaw which could allow malicious web pages to take actions on behalf of the logged in user.
Adobe has rated this update as Critical. SophosLabs has assigned it a High rating.
SophosLabs has yet to see any samples in the wild, and notes that CVE-2011-2444 is not straightforward to exploit. Nevertheless, as Adobe reports, this vulnerability has been exploited, albeit only in targeted attacks so far.
Windows, Mac, Solaris and Linux users can download the latest Flash player from http://get.adobe.com/flashplayer.
Do watch out though. If adding the bloat of Flash to your browsing experience isn’t enough for you, Adobe has decided to default to bundling it with the Google Toolbar or McAfee trialware for Windows users.
You can untick the box before downloading if you don’t want these options.
Maybe that’s why Apple won’t support Flash on iDevices. No portable versions of Google Toolbar or McAfee?
Android users can download the latest Flash Player from the Android Marketplace and Google Chrome users were automatically updated on September 20, 2011 with protection against these flaws.
Leave a reply