A known security hole in Adobe’s Flash player that could allow malicious users to steal browser data on Macs, PC, and Linux machines has been exploited in a proof-of-concept by a Google engineer, prompting Adobe to issue a patch to fix the issue. Users should update their Flash Player as soon as possible.
Adobe says that Flash Player version 14.0.0.125 and earlier for Mac and Windows and version 11.2.202.378 and earlier for Linux suffer from the bug, which was exploited in a proof-of-concept by Google engineer Michele Spagnuolo. Mac and Windows users should update to version 14.0.0.145 while Linux users should update to version 11.2.202.394.
The flaw can be exploited by specially-crafted SWF files that consist entirely of alphanumeric characters, which are then executed by Flash Player. This malicious code can then take advantage of special privileges that are granted to embedded objects on the page, making cross-domain requests on behalf of a user and capturing returned data.
Website owners can also patch the vulnerability — assigned CVE identifier CVE-2014-4671 — on their sites with one of the fixes identified by Spagnuolo.
If you’d like to check the version of Flash Player that you’re running, visit Adobe’s About Flash Player page, or right-click on Flash content in your browser and choose “About Adobe Flash Player from the pop-up menu.
