Adobe has issued a patch to update Flash on both the Mac and Windows platform in order to fix two new vulnerabilities already being exploited “in the wild” to spread malware. One of the targeted attacks using the exploit works equally well against Mac users as it does against Windows users. Visitors are tricked into downloading and opening MS Word files that contain malicious Flash content, while the other vulnerability users a similar technique but only affects Windows users.
Ironically, the patch comes on the same day that Adobe has announced a future version of Flash that will make exactly this sort of embedded attack hidden in Microsoft Office documents more difficult to achieve. Office 2010 and later already has a “Protected Mode” that prompts users to give an OK before any embedded Flash content is played, but a forthcoming Flash revision will apply the same protection to users of Office 2008 and earlier.
Users of Google Chrome for Mac and PC or Internet Explorer 10 on Windows will have their Flash install automatically updated and do not need to do anything. Users of other browsers should disable Flash until it can be updated to the latest version, which is now 11.5.502.149. A Linux update is available as well that brings its Flash version to 220.127.116.112. Readers can check on their current version of Flash by visiting Adobe’s Flash page.