Adobe normally issues its security updates on Patch Tuesday along with Microsoft, but this month the company didn’t wait to release an emergency update for its Flash Player (which affects versions for Windows, Mac and Linux). The “out of band” update came out on February 4, with the security bulletin for CVE-2014-0497 recommending that users of Adobe Flash Player update their installations immediately.
The critical vulnerability addressed by this patch is a wide-reaching one that applies to Flash on almost all computers, including Windows, Mac OS X and Linux machines. It is also a nasty one in that it could allow an attacker to take over complete control of a computer remotely. And to make things worse, Adobe has noted that they are aware of reports that the vulnerability is already being exploited “in the wild.” For that reason, they’ve assigned this vulnerability a Priority 1 rating on both Windows and Mac systems. The Priority rating on Linux is 3.
You may or may not need to take action to install the update; in some cases it should be done automatically for you. Here are the specifics, depending on your operating system and web browser:
- Users of Adobe Flash Player 188.8.131.52 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 184.108.40.206.
- Users of Adobe Flash Player 220.127.116.115 and earlier versions for Linux should update to Adobe Flash Player 18.104.22.1686.
- Adobe Flash Player 22.214.171.124 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 126.96.36.199 for Windows, Macintosh and Linux.
- Adobe Flash Player 188.8.131.52 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 184.108.40.206 for Windows 8.0.
- Adobe Flash Player 220.127.116.11 installed with Internet Explorer 11 will automatically be updated to the latest Internet Explorer 11 version, which will include Adobe Flash Player 18.104.22.168 for Windows 8.1.
Adobe’s Flash has faced a rocky road over the last decade, not the least of which has been on the security front. However, despite the predictions a few years ago that Flash was on its last legs and would soon be replaced by HTML 5, it appears that rumors of its death were wildly exaggerated.
When Steve Jobs proclaimed in 2010 that “Flash is no longer necessary” and that Apple wouldn’t support it on the iPhone and iPad, pundits were quick to call it the end of the technology. Ed Bott, over on ZDnet, called Flash “the new Vista” said the company was in denial about their security problems. Then in 2011, Adobe discontinued its mobile version of Flash Player, seemingly sealing its fate. YouTube has been moving toward HTML 5 for its videos, as well. A huge security breach last October didn’t do much for Adobe’s reputation, with CNN Money headlining a story “Adobe has an epically abysmal security record.”
Somehow, though, Flash has managed to survive all this. According to Adobe’s web site, millions of desktops are still running Flash, with over 400 million updating to the new version within six weeks after release. Millions of developers still use Flash to create their web content in spite of all the reasons to avoid doing so. And even many of its detractors are reluctantly coming to the conclusion that HTML 5 can’t fully replace it after all.
It looks as if most of us are stuck with Flash in some form on at least some of the systems within our organizations. With its history as a favorite target for exploits, it’s important for us to be particularly vigilant about keeping Flash Player up to date.