updated 01:00 am EDT, Wed July 9, 2014
Flaw allows attackers to steal authenticating cookies, hasn't been seen in wild yet
Adobe has issued an emergency patch of its Flash Player technology to correct a security flaw that could allow hackers false access to thousands of popular websites -- notably Twitter, Instagram, Tumblr and eBay among many others. The patch, which will update Flash to version 22.214.171.124, is considered "critical" for users of OS X, Windows and Linux operating systems. Even if users have Flash Player disabled in their browser, they may still need to update if they are using any products that require Adobe AIR.
The updated version number for Linux users is Adobe Flash Player 126.96.36.1994. Users of Google Chrome and Internet Explorer versions 10 or 11 on Windows will have the Flash versions automatically updated when they update to the latest version of those browsers. The company advises that developers using the Adobe AIR SDK and Compiler should update to Adobe AIR version 188.8.131.52 of those tools, along with users of Adobe AIR for Android. Flash technology doesn't work on iOS devices, and therefore iPad, iPhone and iPod touch owners don't need to do anything for those devices.
The flaw affects previous versions of Flash Player as well, so the software should be disabled entirely on machines too old or running older operating systems that can't update to at least version 184.108.40.206, which Adobe has made available specifically for older machines and OS versions. Macs running OS X 10.6.x or later, or PCs still on Windows XP or later, should be able to update to either the aforementioned 220.127.116.11 or the latest version of Flash, which fixes the issue.
Affected websites are also attacking the vulnerability from their end, even though no known instances of attack through this vector has been seen "in the wild" as of yet. The flaw was found to allow hackers to steal the "cookie" used by many websites off of users' computers, allowing the attacker to login to the website as the just-departed user and take control of the account on that website.