Upgrade Flash Now: 90 Percent of Windows Hosts Vulnerable

If you’re a heavy Internet surfer and are using Windows, you are probably vulnerable to a bunch of vulnerabilities in Adobe’s Flash Player without knowing it. A new version of the popular software has been just released, fixing seven flaws said to allow remote executable code to be run on a Windows system.

From Infoworld here:

Adobe has upgraded its Flash Player to fix seven vulnerabilities in its software widely used for interactive Web pages and banner advertisements.

Adobe classifies the patches as “critical” and advises people upgrade to the latest version, 9.0.124.0. All of the vulnerabilities could allow a hacker to execute code on a machine.

One of the vulnerabilities allowed Shane Macaulay to win a laptop in the PWN 2 OWN hacking contest at last month’s CanSecWest conference in Vancouver.

Macaulay, a researcher with the Security Objectives consultancy, used the Flash flaw to break into a machine running Windows Vista. He later said 90 percent of computers worldwide were vulnerable.

Exploiting vulnerabilities in Flash software has become an increasingly popular vector for hackers to compromise machines for two reasons. Most Web browsers have the Flash Player installed, and malicious banner advertisements — which can achieve wide distribution on Web sites pulling ads from a network — can take advantage of those vulnerabilities.

As the article points out, the real danger of these flaws comes from malicious websites hosting banner ads that run when you open a web page. Such ads could auto-execute against the flaws and install malware on your system. Note that using an alternate web browser won’t protect you against this threat.

As a blogger, I see lots of the blog spam by these attackers. Sure, they are just text and links in blog comments, but the real intent of those comments is to drive up page ranking in Google. This way the attackers can poison Google search results to trick you into visiting a webpage that hosts their malicious flash crap. That is one of the reasons why YOU need McAfee SiteAdvisor on your box to validate that those search results are actually good.