Guess what? Adobe Flash is being hit with in-the-wild attacks (again); update to latest version to stay safe


Java. Flash. Java. Flash. Java. Flash. It seems like these two take turns in making your system vulnerable to attack. Sometimes they even misbehave at the same time, like today. As mentioned earlier today, two new vulnerabilities have been discovered in Java. Now it is Flash’s turn.

Adobe just announced two Flash bugs (CVE-2013-0643 and CVE-2013-0648) “are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content”. These attacks “could cause a crash and potentially allow an attacker to take control of the affected system”.

As per Adobe, these attacks are aimed at Windows and Mac OS X users of Firefox… but that does not mean someone cannot modify the attacks to target a different browser.

Unlike Java which is yet to be patched, fortunately Adobe has already released an update to Flash that patches these two bugs. So you should update Adobe Flash to the latest version (which is 11.6.602.171 for both Windows and Mac OS X) immediately to stay safe. It is recommended to update Flash on Linux (to also, even though this particular attack is not targeting Linux users. And, as usual, Chrome and Internet Explorer 10 will automatically update their built-in Flash modules to the latest versions so you don’t need to worry about it if you run Chrome and Internet Explorer and don’t have Flash installed otherwise.

Hit up the link below to manually update Flash. If you have automatic updates enabled in Flash, Flash should automatically update itself; or, if you are impatient, you can manually update.

Adobe Flash download page

[via ArsTechnica, Adobe]

Share this post


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>


  1. AFPhy6

    – off the subject question, Ashraf: for the last week or two, the “edit post” option has not been showing up for me. Have you disabled that feature? I suspect it is something on my end that has changed, but before I go mucking around, I would like to confirm that you haven’t changed the website.

  2. AFPhy6

    Well, that is a very good idea… I guess this may be the final reason for me to move away from my comfortable older FF versions to something newer since that click to play configuration setting is not available in the FF version I’m using… I’ve been meaning to for quite a while, but when I migrate, I also do backup and create a new profile. … ’bout time, I guess…

  3. mukhi

    i would love to see that!!! oh well, prob is that even my bank uses JRE for log-in, grrr…

    i have been reading your comments for couple of days, nice info. my prob is that click to play may not work very well for me since i don’t have a fast broadband (well, it is supposed to be fast but throughput is very low sometimes).

    i know! even the mcafee offer bundled freaks me out.

  4. santuccie

    Flash and Java have become the primary targets ever since Address Space Layout Randomization was introduced in Vista SP1 (to mainstream users, anyway; I think OpenBSD had it before then). Reason being, Flash and Java are not subject to ASLR, and are therefore easier to exploit in a drive-by attack.

    I can’t (and don’t) live without my plugins. I prefer to use click to play, so only the content I intend to run is ever downloaded. This way, unless I’m visiting the places I shouldn’t be visiting, I’m safer than users with updated plugins in the event of a zero-day outbreak. It also speeds up my pageloads, by leaving out the extra junk unless I specifically click on the placeholder. For more information:

    Hope this helps!