Upgrade Flash Now: 90 Percent of Windows Hosts Vulnerable

If you’re a heavy Internet surfer and are using Windows, you are probably vulnerable to a bunch of vulnerabilities in Adobe’s Flash Player without knowing it. A new version of the popular software has been just released, fixing seven flaws said to allow remote executable code to be run on a Windows system.

From Infoworld here:

Adobe has upgraded its Flash Player to fix seven vulnerabilities in its software widely used for interactive Web pages and banner advertisements.

Adobe classifies the patches as “critical” and advises people upgrade to the latest version, 9.0.124.0. All of the vulnerabilities could allow a hacker to execute code on a machine.

One of the vulnerabilities allowed Shane Macaulay to win a laptop in the PWN 2 OWN hacking contest at last month’s CanSecWest conference in Vancouver.

Macaulay, a researcher with the Security Objectives consultancy, used the Flash flaw to break into a machine running Windows Vista. He later said 90 percent of computers worldwide were vulnerable.

Exploiting vulnerabilities in Flash software has become an increasingly popular vector for hackers to compromise machines for two reasons. Most Web browsers have the Flash Player installed, and malicious banner advertisements — which can achieve wide distribution on Web sites pulling ads from a network — can take advantage of those vulnerabilities.

As the article points out, the real danger of these flaws comes from malicious websites hosting banner ads that run when you open a web page. Such ads could auto-execute against the flaws and install malware on your system. Note that using an alternate web browser won’t protect you against this threat.

As a blogger, I see lots of the blog spam by these attackers. Sure, they are just text and links in blog comments, but the real intent of those comments is to drive up page ranking in Google. This way the attackers can poison Google search results to trick you into visiting a webpage that hosts their malicious flash crap. That is one of the reasons why YOU need McAfee SiteAdvisor on your box to validate that those search results are actually good.





5 Responses to Upgrade Flash Now: 90 Percent of Windows Hosts Vulnerable

  1. Hi shameless plug @ the SiteAdvisor bit at the end. Also a lot of Windows users that browse with Firefox use Flash Player 8 due to Flash Player 9 not working properly for Firefox.

  2. Google now warns you that the site you're going to is known to have malware. I got a warning page from Google when I tried to click on a search result a few days ago.

  3. An alternative to SiteAdvisor is Web of Trust. WOT is a tool for website reputation rating that lets Internet users share their knowledge of websites with 18 million sites rated already. The ratings are based on standards of trustworthiness, vendor reliability, privacy and child safety.

    Please give it a try. Web of Trust

  4. Don't forget all the other client side vulnerabilities out there that no one patches or updates…Adobe Reader, Java, Microsoft Office…just to name a few.

  5. Re Tom's comment: I recommend trying Secunia Software Inspector.

    It checks your system for programs that have not been updated. For instance, on mine it found Adobe Flash Player and Java that hadn't been updated and were vulnerable. There were later versions of both available.

    Secunia does not update the programs. Rather, it gives you links to the update sites.

    http://secunia.com/software_inspector/