How does one know if Flash is legitimate?

As always, look at the URL and see if it looks right, has misspellings, etc. Safest is always to do what you did and go to the company's site and download from there.

Take it from Apple. That is the only way if not updating from installed Adobe Flash/System Preferences.

http://support.apple.com/kb/HT5655

Best.

Only EVER download Flash Player from Adobe's own website.

Two bugs, one affecting Apple's Mac platform and another attacking Microsoft's Windows, exploit certain Flash player vulnerabilities to install malware onto users' systems, reports ArsTechnica. While users of other operating systems like Linux have yet to report attacks, Adobe's advisory notes the exploit affects all platforms.

Designated as CVE-2013-0634, the first vulnerability targets the Safari and Firefox Web browsers running on OS X, and is also being used as a trojan to deploy Microsoft Word documents containing malware. For Mac users, the flaw affects Adobe Flash Player version 11.5.502.146 or earlier.

The Adobe Flash patch can be found on the company's website, and users can visit this page to check if their software is the most curent 11.5.502.149 version.

In System Preferences > Flash Player, I turn off Flash Player's ability to check for update:

That way, if any pop-ups say Flash needs updating, I know they are bogus.

I manually check for updates about once a week.

NOTE: Even with manual updating, the brain-dead Flash installer resets your Prefs to "Allow Adobe to install updates (recommended)." After every manual update, remember to desecelt that option in System Preferences.