Adobe's Flash Player, never the most secure piece of software, is being exploited by hackers and other Internet pests on two fronts.
Last week, Adobe shipped an important security update for Flash Player to coincide with Microsoft's Patch Tuesday. It quickly followed up with another patch yesterday (Aug. 21).
That's a good thing, because last week's updates, which were for Windows, Mac and Linux, may have alerted malware writers to the latest Flash security holes — one of which is already being exploited to target Apple fans.
Click here for more!
An email with the subject line “iPhone 5 Battery Images Leak!!!” is finding its way into inboxes and promising detail-hungry enthusiasts photos and an article detailing one of Apple's best-kept secrets.
Instead of delivering what's advertised, though, the attached Word document hosts a nasty fake Flash file that exploits a vulnerability patched last week. According to Symantec, the phony Flash file is really a Trojan that gives a hacker remote control of your computer.
Adobe said yesterday's patch fixes a vulnerability that was being exploited in only a "limited" manner, but Symantec claims to have blocked about 1,300 attacks aimed at that particular weakness.
Adobe said the new patch closes a hole that could "potentially allow an attacker to take control of the affected system."
Both updates are available from Adobe at http://get.adobe.com/flashplayer.
Filling a gap
Adobe's video player isn't being exploited only on computers — it's being used to wreak havoc on Android devices as well.
Last Wednesday (Aug. 15), Google began phasing out Flash Player for Android devices. New installations are no longer permitted from the official Google Play app store, and Google is only updating Flash Player on devices that already have the software installed. (Flash functions will be handled by new functions in the HTML5 Web standard.)
Flash functions very differently from most smartphone apps. In order for it to work properly, and to ensure that Web content displays correctly, Adobe, Google, device makers and app developers had to coordinate closely to conduct extensive testing.
Adobe, for its part, says it has chosen to stop developing Flash Player for the Android platform, and is focusing on improving its products for Windows and for its cross-platform Adobe Integrated Runtime (AIR) environment, which allows a standardized build of Flash to run on many different systems.
Scammers, banking on the assumption that not everyone knew about the Adobe-Android split, cashed in on the removal of Flash Player from the Google Play app store by creating fake or pirated versions of the Flash Player app and putting them up on third-party distribution sites.
These phony Flash Player apps use Adobe's icon and logo, but also contain adware and Trojans.
One version even contains a working version of Flash Player, but also asks users to "root" their phones — never a good sign — and then downloads a second app full of ads. If a user tries to delete the ads, the adware downloads even more ads — all the while changing the browser home page, popping up ads in the status bar at an annoying rate and sending users' contact information to advertisers.
Users of Adobe Flash Player might want to adjust their settings to let Adobe update it automatically next time.
Users of Google's Chrome Web browser needn't worry so much, as Chrome will update Flash automatically after a browser restart.