Attacks on a veterans’ website expose an Adobe Flash/Internet Explorer zero-day exploit, prompting out-of-cycle fixes from both software companies.
Meanwhile, a much-publicized security flaw in Apple’s iPads and iPhones points out risks of using public wireless networks.
A new version of Flash Player and a fixit for IE
This past week brought out-of-cycle updates from both Microsoft and Adobe. Two vulnerabilities in Flash Player and Internet Explorer were used to attack visitors to the Veterans of Foreign Wars website, as noted in a Feb. 19 MS Security Research & Defense posting. On Feb. 20, Adobe released Flash Player 220.127.116.11, detailed in the related Adobe Security bulletin.
The Internet Explorer vulnerability — limited to IE 9 and 10 — is still unpatched at this time. However, the Feb. 19 SRD post notes three ways to protect yourself in the meantime: upgrade to IE 11, use Microsoft’s Enhanced Mitigation Toolkit, or install the fixit included in the post.
As Katherine Murray pointed out in the Feb. 20 Best Software article, it might be time to give IE 11 a try. Once it’s installed, check whether the websites you frequent display as they should. If they don’t, you can go back to IE 10.
As always when updating Adobe Flash, pay close attention to the installation process and uncheck any unwanted software offerings. Windows 8/8.1 users will get the latest Flash Player via Windows Update.
What to do: Check that you’re on Flash 18.104.22.168 by going to the Adobe Flash Player information page. Next, choose to update to IE 11, install the fixit in MS Support article 2934088 , or use EMET (site) for better protection from future zero-day attacks.