With documented exploits for both Mac OS and Windows reported in the field, Adobe released another Flash version last night, moving up from version 11.5.502.146 to 11.5.502.149 in the process (see both numbers in my Flash Player Settings Manager window, after updating IE with the ActiveX version, but before installing the Plug-in Version for Netscape-compatible browsers):
The previous version (11.5.502.146) carries a release date of 1/8/2013 in the Flash Player Archives on the Adobe Website. Dan Goodin of Ars Technica has an excellent story entitled “Adobe issues emergency Flash update for attacks on Windows, Mac users,” that indicates updates are also available for Android and Linux platforms, too. Apparently, the thinking is that the vulnerability is severe enough to warrant hurry-up effort from malefactors to bring it up on those other runtime environments, because the ability to compromise Safari and Firefox on the Mac has also played into foisting booby-trapped Word documents with malicious Flash content on the PC is believed likely to show up in various other forms there as well. These vulnerabilities are classified as CVE-2013-0634 (Mac) and CVE-2013-0633 (Windows).
Here’s the skinny on the latest versions for all platforms, straight from Goodin’s article:
Thursday’s fix brings the latest version of Flash for Windows and OS X to v. 11.5.502.149. The latest Linux version is v. 126.96.36.1992, and the most current Android versions are 188.8.131.52 for Android 4 and above and 184.108.40.206 for Android 3 and earlier. Updates are available here. Flash in Google Chrome and in Microsoft Internet Explorer 10 is automatically updated.
In this context, it’s worth pointing out that Google is invariably speedy in posting updates to Flash for Chrome ( my Plugins page currently shows version 220.127.116.11, and Adobe claims that’s the most recent version thanks to its find-version-flash-player page. OTOH, Microsoft pushes Flash updates for the Windows Store UI version of Windows 8 through Windows Update, and a version was posted to that service at 3:15 yesterday afternoon. The corresponding Adobe Security bulletin addresses the same CVE numbers mentioned earlier in this blog post, so it looks for once as if MS has pushed out an “emergency” Flash update in a timely manner. I’m stunned, but also pleased…