Adobe Flash Player gets emergency update
- Published
Adobe has urged users of its Flash Player plug-in to install an update to protect themselves against the risk of hackers hijacking their PCs.
It cited a "critical vulnerability" in older versions and said it had become aware of reports that cybercriminals had worked out a way to exploit it.
A new version of the multimedia player has been made available for download for Windows, Mac and Linux computers.
This is the latest in a series of setbacks for the company.
The California-based software maker acknowledged that usernames and encrypted passwords had been stolen from about 38 million of its active account holders last year.
And Flash vulnerability alerts frequently appear on security firms', externalwarning lists, external.
"Adobe does seem to have an unfortunate history of people finding security flaws with Flash that require updates," independent security consultant Alan Woodward told the BBC.
"What Adobe seem to have done in this case is put out a warning, but it has not given as much information as other firms would normally do when issuing such a security advisory.
"That might be them trying to avoid giving the hackers too much information whilst still telling people there is a problem."
Adobe only describes the flaw as being an "integer underflow vulnerability" in its report.
Sandboxed software
The company thanks two researchers at the Kaspersky Lab for alerting it to the problem.
The Russia-based security company said it had discovered a Flash exploit that it believes had been created to target Chinese organisations and users.
"This attack works whereby when a document is opened, an embedded flash exploit starts an easy downloader to the disk, which then downloads a fully-featured backdoor and а Trojan spy," said Vyacheslav Zakorzhevsky, head of Kaspersky's Vulnerability Research Group.
"The program goes on to steal passwords from popular email clients and grabs log-ins and passwords from the web-forms of popular social-email services."
Apple is now blocking the use of older versions, external of Flash on its Safari web browser.
The firm introduced a "sandbox" feature to its Mavericks operating system in October that stops the Flash plug-in from running automatically. Users must first give it permission to activate and Apple can also disable the software remotely.
Adobe had previously worked with Google, Microsoft and Mozilla, external to offer similar protective measures.
Adobe notes that users of Chrome, Internet Explorer 10 and Internet Explorer 11 should all see their browsers automatically update themselves to include the latest version of Flash.
"This latest Flash 'zero-day' serves as a good reminder of the reasons security professionals urge users to enable browser plug-ins only when necessary," said Craig Young, a researcher at security firm Tripwire.
"It is important to note that browsers such as Chrome and Internet Explorer have Adobe's Flash technology 'baked in' making it necessary to explicitly disable it when not needed."
Video games
Although many websites still use Flash to provide videos, graphics, games and other content, large numbers of developers have switched to using the web language HTML 5 to create such effects.
This has been spurred on by the fact that Flash is not supported on Apple's iOS platform and has been pulled from Google's Android Play store.
Adobe itself acknowledged in 2011 that HTML 5 offered the "best solution" for mobile devices because it was universally supported.
However, it continues to develop the software for PCs, suggesting it can deliver smoother animations and higher-quality 3D video games graphics than alternative technologies.
- Published30 October 2013
- Published15 May 2012
- Published7 June 2010