Critical Flash vulnerability exploited and fixed!
Published February 7th, 2013 at 10:20 PM EST , modified February 7th, 2013 at 10:20 PM EST
Adobe announced today the release of a Flash Player update, fixing a vulnerability that they say is being exploited “in the wild” to drop malware on Macs. To cite an important portion of Adobe’s announcement, “Adobe is […] aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform.”
This indicates that Adobe is aware that some sites are hosting malicious Flash content that is causing malware to be downloaded and installed as a “drive-by download.” If this is in fact the case, this means that malware is being installed without any requirement for user interaction. It is unclear at this time what malware is being installed. Time will tell whether this is simply a new delivery method for some existing piece of malware, as was the case with the Flashback malware, or if the first new Mac malware of 2013 has just made its appearance.
Mac users with Flash installed should immediately update to the latest version, which is 11.5.502.149. If you do not have Flash installed (it is not installed by default), you have nothing to fear. (If you are not sure whether you have Flash installed, look for a Flash icon in the System Preferences app. If there isn’t one there, you don’t have Flash installed.)
Those reading this who also use Windows, or have friends who use Windows, should know that the same vulnerability is also being exploited on that system, making this update equally critical for Windows machines.