Thursday, February 7, 2013

Adobe Flash Update 11.5.502.149
CRITICAL Security Patches

--

Another month, another Adobe Flash update. This one squashes two CVE security holes, both of which are being exploited in-the-wild. If you're already on the Adobe Flash v11.x track, this update is CRITICAL. As my net pal Al pointed out to me: This is the first-ever zero-day drive-by Flash exploit hitting the OS X platform!

IOW: GET THIS UPDATE NOW!

http://www.adobe.com/support/security/bulletins/apsb13-04.html

http://get.adobe.com/flashplayer/

CVE-2013-0633
Adobe is aware of reports that CVE-2013-0633 is being exploited in the wild in targeted attacks designed to trick the user into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content. The exploit for CVE-2013-0633 targets the ActiveX version of Flash Player on Windows.
CVE-2013-0634
Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content.

As usual, if you use Microsoft's ActiveX in your browser on Windows, you're insane. If you work for a business that relies upon ActiveX, they're insane. Get rid of it. It's a wide open gateway for malware. A Microsoft technology! :-P



Meanwhile on Mac: Great! Now we have to worry about malicious .SWF infected websites! Remind you of Java hell much? Sheesh.

MY ADVICE:

Get one of the plentiful add-ons for your web browser that KILL Flash until such time as you approve of it playing.

Safari: Get the ClickToFlash add-on. It's easy to use and offers lots of nifty-kewl other features, such as downloading and white listing. (It's cousin add-on is ClickToPlugin. Sadly, the developer has pointed out that ClickToPlugin is NOT effective at blocking all Java applets. Darn!)

Firefox: Get the Flashblock add-on. It's also easy. It will also block Silverlight if you choose, and it has a white list. Alternatively, go hard core and get the incredible NoScript add-on, which also blocks all Flash until you click to approve. NoScript takes some getting used to, but is terrific software for staying safe on the Internet. (Thank you Georgio Maone!)

Chromium: (I refuse to use Chrome because I don't trust Google's tracking). Chromium browsers apparently are not affected by the Flash drive-by infection, but just in case: Again get the Flashblock extension. It has the same features as the Firefox version. (There is no NoScript version of Chromium at this time, but there are rumors...).

If there are similar anti-Flash plug-ins for other browsers, please comment!




No comments:

Post a Comment