Make sure you have the latest Flash Player

There is an in the wild exploit going around that is taking advantage of a Flash Player vulnerability. News of the exploit is big enough that it made the Slashdot front page yesterday.

The experts currently believe that the current version of Flash Player is safe. So make sure you have version 9.0.124.0 installed.

Check your Flash version: http://www.macromedia.com/software/flash/about/

Check the version in both IE and in Firefox/Opera/whatever. IE and Firefox use different installs of the Flash Player.

Get the latest Flash version: http://www.adobe.com/go/getflashplayer

You can keep up with the latest news on this from Adobe at their security blog.

Is this something us Mac users need to worry about?

Possibly. The latest info from security blogs is that the new attack is using an old exploit that was fixed in the current Flash version. But everyone is still using hedging words and nobody is making a definitive statement about whether the current attack is using that old exploit or something new.

Info on the old (fixed) Flash vulnerability: Adobe Flash Player Multimedia File Remote Buffer Overflow Vulnerability
That vulnerability affected Windows and Linux versions of Flash. They don’t mention Mac at all, but that is no guarantee that the Mac version isn’t also affected.

The Mac users can feel safe in that even if their version of Flash is affected the bad guys are not creating Mac malware yet, maybe.

With luck it will turn out that the current attack is using the old fixed vulnerability. If we’re unlucky it will turn out to be a new exploit that will need a fix from Adobe pronto.

Don’t worry about any of this crap. I get these “Oh, no! The sky is falling!” emails all the time from my relatives. They think they are trying to be helpful. I wish you people would stop spreading these hoaxes. I, for one, am not going to upgrade.

Everyone with the latest version of Flash installed (9.0.124.0) can relax. Uni57 can continue doing whatever it is he does on his obsolete computer.

Consider this a good lesson on why it is necessary to stay up to date with software versions, especially software that connects to the internet. A true zero day exploit in the wild on a wide scale that affects Flash would be bad bad news.

Update from the Adobe PSIRT blog:

I will. And the rest of you can waste time listening to John’s gibberish.

But on a serious note – I built my latest machine in December and went almost four months before hooking it it up to the network, much less the Internet. Everybody asked me, “what are you going to do with the machine?” Plenty. A computer is much more than an Internet appliance. Keeping it off the Internet keeps it relatively clean and safe. Keeping it off the network keeps it safe from attacks from other machines on your network. It’s a pain to install software and transfer files, but it can be done. I advise everybody to try “unplugging” one of their machines for a while. Keep your important stuff on that machine. And be careful what you transfer to it. Depending on what you do with it, and if you start with a fresh OS install, it can be your most stable, secure, and worry-free machine. You should , of course, pay attention to security threats. I’m just saying that you should also, if you have a spare machine, take a step away from the Internet. It’s not everything (and it brings its own set of problems). In fact, once, not too long ago, the Internet didn’t exist. Yet we still had fun with computers – without worrying about them catching a disease. Just food for thought (this issue reminded me of my attempt to keep a machine off the Internet).

Thank you Mr. Childs

JC’s computer advice is usually pretty good IMHO. So I upgraded my flash with the handy link provided.:slight_smile:

I’m not going to pretend to understand" coding" software, but keeping my computer healthy has always been an evolving thing. New info is helpful.

Thank’s JC for the heads up.:slight_smile:

Slashdot is one of the most highly respect tech websites on the internet, this is a real and legitimate threat. A lot of the stuff people forward through email about viruses and the like are indeed hoaxes or are from people who have no idea about what they are talking about. Its all about learning which resources to trust on the subject. Slashdot, Symtanec, JC and myself are just a few of the many you can go with.

Keeping a computer off the internet completely will definitely protect you from threats but you are really limiting yourself. It seems a bit foolish to be doing that where instead you could just be keeping your software up to date and your important data backed up onto an external harddrive. People really too often exaggerate the threat of hackers and viruses, if you are just smart about how you use your computer you have nothing to worry about.

I’m actually using the Flash 10 beta, it automatically adapts the bitrate of streaming flash videos to reduce stuttering due to network latency. It has quite a few other cool features too like native GPU accelerated 3d support, but you wont be seeing much of those features until developers start adopting the new software.

Thanks John,
Take Five!

But seriously, thankyou, i am updated

a bit off-topic

I will be investigating my machines to be sure I have the Flash updates, but there is a question from me: what is meant by “in the wild”?

Out in the real world (internet in this case) rather than just in a testing environment.

Yes, yes, yes. And John is one of the most respected authorities in this forum. Everybody knows that. But you know how non-technical people forward emails with bogus threats, thinking that they are being helpful? I was lumping John’s well-referenced and researched post in with them. It was a joke. I think he knew that (I hope). I’m starting to think harper is wrong about emoticons. Apparently they are a necessary evil.

And keeping a machine off the Internet only limits what you can do on that one machine. If you limit the software you install, you can have an exceedingly safe and secure environment where you can do other productive computer things. Not having a browser at my fingertips (for when a random thought popped into my head) allowed me to stay focused on the project at hand. It is a liberating feeling to be “unplugged”. It’s cool to have a machine that cannot be touched by the outside world. Try it. It’s like stepping back in time. I’m building a personal digital library – a personal repository of my life – and that will certainly run on a server that has no access to the Internet. Software updates only patch the known security holes. There are always more. And every time you update, you run the risk of something not working that used to work. Or maybe it wipes out your privacy-related settings. Or adds a new big-brother setting that you didn’t know to turn off. You can’t know until you try it how nice it is to step out of that cycle. Edit: if you want a stable operating system that you don’t have to reinstall every two years, then don’t keep updating it! Get it working the way you want and then leave it alone. “If it ain’t broke…” But you can’t do that if it’s connected to the Internet.

I very much understood it was a joke. It was even a bit silly. :stuck_out_tongue:
In my first draft of my reply I accused you of using an Atari ST computer. For some odd reason I edited out the Atari ST part and replaced it with “obsolete”. :thinking:

Ah, the days before the internet. Pleasant memories of boot sector viruses travelling by sneakernet. The main online worry was the dreaded ANSI bomb attacking you at 1200 bps. :astonished:

Because deep down inside, a part of you remembered that I was an Amiga man, not Atari.

A better phrase than “in the wild” would have been “being actively exploited”.

If it had turned out to be a new exploit against Flash it would have been very very bad. It turned out to be only slightly bad only for those still using an older version of Flash.

There are some tools to help you keep up to date with some of the more common software.

Secunia Online Scan: About Secunia Research | Flexera

Secunia Personal Software Inspector (PSI): https://psi.secunia.com/

FileHippo Update Checker: Download IObit Software Updater 5.1.0.15 for Windows - Filehippo.com

I run those every few weeks or so. They help to keep my computers up to date. Between those and Microsoft Update I can be sure that the important bits of my systems are kept up to date.

The Secunia PSI scanner is the most thorough of the three. The FileHippo Update Checker is the most convenient of the three because it gives you a download link for anything that it finds that needs an update. All three of them will let you know if Flash needs to be updated.

Strange, I installed the latest version of flash, then ran the Secunia Online Scan and it found multiple entry’s for flash, some of them update and some not.

Does this mean all the older versions are still installed? Why is there more then one updated version listed? (Java shows the same thing)

BTW thanks for the links John.

Captureflash.JPG

Flash is a bit sloppy in cleaning up old versions when you install a new version. The old files stay around, but are no longer being used. It is not a security problem to have the old Flash files still around as long as you have the newest version properly installed. Only the newest version will be the one used.

If you’re comfortable running command line tools you can manually remove all traces of the old versions.

Find the location of one of the old versions
Open a command prompt and navigate to the directory where the old version is
Run “regsvr32 /u filename
The filename should be either an ocx or dll file (I can’t remember which extension the old versions of Flash were using)
That unregisters the ocx or dll from the registry
You can now delete that ocx or dll file

All that is only necessary if you are the type to have an overwhelming urge to clean things up

Java also leaves traces of old versions around. You can remove the old versions of Java using the Add Remove Programs tool in the Control Panel. I’m a neat freak so I always remove the old version of Java before installing a new version. It’s not necessary though. The old versions won’t actually be used. Only the most current version is the one that will be used by the browsers.