Exploited bug doesn't exist in latest version of Flash
Old versions of Adobe Flash Player, perhaps the most widely used software in the world, contain known bugs that are being actively exploited online. If you are using any version of Flash Player, other than the latest, you should update to version 9.0.124.0 as soon as possible.
Early reports from Symantec said the bug being exploited was a new one. Turns out this is not the case. On Thursday, Adobe said
"Despite various reports that have been circulating, the Flash Player Standalone 9.0.124.0 and Linux Player 9.0.124.0 are NOT vulnerable to the exploits discussed in conjunction with the previously disclosed vulnerability Symantec posted on 5/27/08. Symantec originally believed this to be a zero-day, unpatched vulnerability, but as their latest update on their Threatcon page indicates, they have now confirmed this issue does not affect any versions of Flash Player 9.0.124.0."
You can see which version of Flash Player is being used by your Web browser at the Adobe Flash tester page. You need to check every Web browser installed on your computer.
For instructions on updating Flash Player, see Time to update the Flash Player. Here's how. If you use the portable version of Firefox, see Portable Firefox and the Flash Player for instructions on updating Flash Player.
See a summary of all my Defensive Computing postings.
Michael Horowitz is an independent computer consultant and the author of several classes on Defensive Computing. He is a member of the CNET Blog Network, and is not an employee of CNET. Disclosure.
But there are alternatives - programs that watch your installed software for updates. CNET's VersionTracker is fine, but not free. FileHippo (www.filehippo.com) has a free alternative. Not as comprehensive as VersionTracker, but it does check your Flash, both the ActiveX and the "normal" (Firefox) version, and offer direct download links to the new versions. And it's easy to set it to start at boot-time.
You can run the online scanner which checks to see whether the typical suspect programs are up-to-date. One nice feature is it tells you where to obtain the update and where the obsolete version is installed on your PC.
But the feature I probably like best is that you can sign up to receive an email alert whenever there is a security update to the typical programs. This enables you to turn off many programs which run in the background on your PC checking for updates. Less non-required stuff running the better in my opinion.
And, no, I have no financial interest in Secunia.
Doug
-
by i_made_this
June 2, 2008 10:12 AM PDT
- Agreed, the on-line Secunia Software Inspector is excellent. It actually proved something subtle to me about Adobe Flash - it doesn't matter if you keep up with extremely critical Flash patches / updates, so long as you continue using certain Instant Messengers and gaming programs that refuse to update Flash on their servers. The corrupt and outdated Flash code these providers insist on inflicting on your system doesn't mean you should stop being timely about your Flash updates. It just means that you should pause to consider why certain Instant Messengers in particular would choose not to be timely. What benefit do they gain by feeding your client with their servers' extremely critical and corrupt code? The answer is more than a little frightening.
-
Reply to this comment
-
-
-
by mhinnewyork
June 3, 2008 9:25 AM PDT
- I agree completely. A full scan with the online Secunia Inspector can be frightening in the old buggy stuff it uncovers. But, it's an important part of Defensive Computing. Michael Horowitz
-
-
(7 Comments)