This has not been a great week for Adobe; they have been scrambling to fix a number of critical vulnerabilities in their Flash Player product that are being used in active attacks. Two weeks ago, Adobe released a patch for a vulnerability that is being used in attacks in the wild (CVE-2015-0310). A few days later, they released yet another patch for a second vulnerability also being used in active attacks (CVE-2015-0311). And a few days after that, they released a patch for yet another vulnerability that is also being exploited in the wild (CVE-2015-0313).
While the latest patch is for Windows and Mac users, the previous two patches from Adobe are for Windows, Macs and Linux. All three vulnerabilities are being exploited via drive-by-download attacks. These attacks are a popular type for criminals as they can potentially provide a more “operating system agnostic” attack vector, since it has the potential for affecting more than one OS. And indeed, that is the case here.
This series of rapid-fire updates serves as reminder to enable automatic updates when you can, especially for popularly targeted browser plugins like Java and Flash. You may also wish to enable “click to play” functionality in your browser of choice, or install a “click to play” plugin from a reputable vendor and app store, as this sort of attack continues to be quite common.
It’s certainly understandable if you’re experiencing a bit of update fatigue from all this, and wondering if these are all indeed valid notifications. If you are unsure if you have the latest version of Flash Player, Adobe has a website where you can check this. If you have disabled Flash Player except for occasional use, you will need to temporarily enable it for this test to work. If you use multiple browsers, please check the update levels for all your browsers. If you do not have Flash Player installed, you needn’t worry about this. For the last several years, Flash has been becoming a less common browser plugin – and YouTube just chose to switch away from Flash to HTML5. If you have not needed it so far, you’re unlikely to need it now. As criminals love to disguise malware as Flash Player updates, you should only get plugin updates directly from the Adobe website.