I’ve recently read about ‘Web worm’ attacks aimed at Facebook and MySpace; and just today I read about social engineering attacks (ploys, tricks) against Twitter. ZDNet’s Ryan Naraine posted Adobe: Beware of fake Flash downloads just today, and Adobe’s David Lenoe posted Verifying Installers on Adobe’s Product Security Incident Response Team blog yesterday. Here’s the skinny from Adobe’s blog, color & formatting added by myself for emphasis:
We’d like to take this opportunity to reiterate the importance of validating installers and updates before installing them. First off, do not download Flash Player from a site other than adobe.com – you can find the link for downloading Flash Player here. This goes for any piece of software (Reader, Windows Media Player, Quicktime, etc.) – if you get a notice to update, it’s not a bad idea to go directly to the site of the software vendor and download the update directly from the source. If the download is from an unfamiliar URL or an IP address, you should be suspicious.
Second, all Adobe software for Windows is signed with a digital certificate that is validated by Windows when you install our software. The Publisher will always be ‘Adobe Systems, Incorporated’, and you can verify this when you double-click the installer, or by right-clicking on the installer, selecting ‘Properties’, and going to the ‘Digital Signatures’ tab.
For Flash Player in particular, you can always go to this page to verify what version of Flash Player you have installed, and what the current version of Flash Player is for your Operating System.
In other words if you didn’t already know it, Adobe is the only source for reliable Flash downloads, and so far as I know the only source for Flash downloads at all.
I mentioned ‘Web worms’ are slinking through Facebook and MySpace earlier, also according to ZDNet (Web worms squirm through Facebook, MySpace), and the good news here is that its the same social engineering type of attack trying to get people to download a Flash update. As said before only update your Flash from Adobe’s website and avoid these malware files masquerading as valid updates.