Adobe’s fixed, among other things, a Flash Player flaw attackers have already exploited to break into Windows machines. Microsoft gets most of the attention the second Tuesday of each month because of its security updates, but yesterday was also significant for the security patches Adobe released — including one for a Flash Player flaw attackers have already exploited to break into machines running Windows. Adobe’s bulletin for Flash says the following: These updates address a vulnerability (CVE-2012-1535) that could cause the application to crash and potentially allow an attacker to take control of the affected system. There are reports that the vulnerability is being exploited in the wild in limited targeted attacks, distributed through a malicious Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows. Adobe recommends users update their product installations to the latest versions: Users of Adobe Flash Player 11.3.300.270 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.3.300.271. Users of Adobe Flash Player 11.2.202.236 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.238. Flash Player installed with Google Chrome will be updated automatically, so no user action is required. Google Chrome users can verify that they have updated to Google Chrome version 21.0.1180.79. Adobe Flash Player 11.3.300.270 and earlier versions for Windows, Macintosh and Linux operating systems are affected. Another update is for Adobe Shockwave Player. That bulletin says: Adobe has released an update for Adobe Shockwave Player 11.6.5.635 and earlier versions on the Windows and Macintosh operating systems. This update addresses vulnerabilities that could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.6.5.635 and earlier versions update to Adobe Shockwave Player 11.6.6.636 using the instructions provided in the “Solution” section below. AFFECTED SOFTWARE VERSIONS: Adobe Shockwave Player 11.6.5.635 and earlier versions for Windows and Macintosh Adobe also released a fix for Reader and Acrobat. From that bulletin: Adobe has released security updates for Adobe Reader and Acrobat X (10.1.3) and earlier versions for Windows and Macintosh. These updates address vulnerabilities in the software that could cause the application to crash and potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions: Users of Adobe Reader X (10.1.3) and earlier versions for Windows and Macintosh should update to Adobe Reader X (10.1.4). For users of Adobe Reader 9.5.1 and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader X (10.1.4), Adobe has made available the update Adobe Reader 9.5.2. Users of Adobe Acrobat X (10.1.3) for Windows and Macintosh should update to Adobe Acrobat X (10.1.4). Users of Adobe Acrobat 9.5.1 and earlier versions for Windows and Macintosh should update to Adobe Acrobat 9.5.2. AFFECTED SOFTWARE VERSIONS Adobe Reader X (10.1.3) and earlier 10.x versions for Windows and Macintosh Adobe Reader 9.5.1 and earlier 9.x versions for Windows and Macintosh Adobe Acrobat X (10.1.3) and earlier 10.x versions for Windows and Macintosh Adobe Acrobat 9.5.1 and earlier 9.x versions for Windows and Macintosh In a recent interview, Brad Arkin — Adobe’s senior director of security, standards, open source, and accessibility — told me one of the company’s big efforts is to get more customers to use the most recent versions of these programs. To that end, Arkin has focused on automatic updates that download in the background, so the user doesn’t have to be bothered with it. “We’ve been putting a lot of incremental improvements into Reader but adoption wasn’t as high as we needed it to be,” he said. “In April 2010 we turned on our auto-updater and that’s increased deployment significantly. In June 2011 we changed the default setting from semi-auto to silent auto. Users need the update but if asked they won’t want to be bothered. So the goal was to make it so they wouldn’t have to be bothered.” He added: “The bad guys attacked Flash a lot in 2010-11. The security update response time for Flash is now an average of 5 days. We are adapting the Reader auto update strategy to Flash player, but it’s a little more difficult because of the different ways Flash communicates with the different browsers. We can’t do this just once like we could with Reader.” Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe