It is believed that none of the vulnerabilities are currently being exploited. The Windows platform is considered the most likely to be targeted, and users are advised to update within 72 hours. Mac is the next most likely target, and here users are recommended to update within 30 days. Remaining platforms are not frequently targeted, and users are advised to update at their discretion.
Updates for Flash within Chrome and Internet Explorer 10 are handled by Google and Microsoft respectively. Chrome updates should be automatic. In a simultaneous advisory, Microsoft states, “Customers [IE10] who have automatic updates enabled will not need to take any action because protections will be downloaded and installed automatically. Customers who do not use automatic updates should apply the guidance in the advisory immediately using update management software, or by checking the Microsoft Update service, to help ensure protection.”
Adobe recommends that users check their current Flash version by visiting the About Flash Player page, and if necessary to download the latest version from its Flash Player Download Center. Brian Krebs, however, is not impressed, saying “that option pushes junk add-ons like McAfee VirusScan. Instead, download the appropriate version for your system from Adobe’s Flash Player Distribution page.”
Krebs’ criticism pales compared to the more general dismay coming from nCircle’s director of security operations, Andrew Storms. “Today's Flash patch is another 'classic' Adobe release bulletin,” he says. “It’s missing everything important to IT security teams. Why can't vendors provide decent mitigation advice instead of assuming everyone will upgrade immediately? This attitude reflects a willful ignorance of the issues that enterprise security teams grapple with day in and day out.”
He is also concerned that he gets most prior warning from Twitter rather than Adobe. “Just once,” he says, “I’d like to get an Adobe release that wasn't a total surprise. And, why do I need to rely on Twitter for patch notifications, especially for software as ubiquitous as Adobe Flash?” He is not alone in concern over a lack of clarity from Adobe. Less than a week ago the company quietly updated last month’s Flash advisory with four additional vulnerabilities. “Dear @Adobe, when you stealth add 4 CVE to a ~ month old advisory, that doesn't help anyone. That is not transparent,” tweeted the Open Source Vulnerability Database (@osvdb).