The hack of spyware company Hacking Team has unleashed yet more critical zero-day Adobe Flash vulnerabilities for which no official patches yet exist.
If successfully exploited, the two vulnerabilities could allow criminal hackers to hijack innocent people’s computers in order to steal information, plant further malware or launch attacks.
In an advisory published this weekend, Adobe said it hoped to roll out an emergency security update (yes! another one!) in the coming days.
Critical vulnerabilities (CVE-2015-5122, CVE-2015-5123) have been identified in Adobe Flash Player 18.0.0.204 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly. Adobe expects to make updates available during the week of July 12, 2015.
According to Adobe, the vulnerable versions of Flash are:
- Adobe Flash Player 18.0.0.203 and earlier versions for Windows and Macintosh
- Adobe Flash Player 18.0.0.204 and earlier versions for Linux installed with Google Chrome
- Adobe Flash Player Extended Support Release version 13.0.0.302 and earlier 13.x versions for Windows and Macintosh
- Adobe Flash Player Extended Support Release version 11.2.202.481 and earlier 11.x versions for Linux
Technical details of one of the vulnerabilities (CVE-2015-5122) are described in a blog post by FireEye security researcher Dhanesh Kizhakkina.
Separately, Trend Micro discovered the other zero-day vulnerability (CVE-2015-5123), and recommended that users disable Adobe Flash until a patch becomes available.
These, and the earlier vulnerability, were uncovered in the files leaked from spyware firm Hacking Team.
Hacking Team, of course, was hoping to keep knowledge of the vulnerabilities out of the hands of Adobe so that it could continue to sell them to governments and law enforcement agencies around the world.
Unfortunately (for them) Hacking Team got hacked. Not the greatest advert for a company working in one of the shadier corners of the security industry.
If you are not sure which version of Adobe Flash you are running on your computer, visit this Adobe webpage which will tell you.
The most recent version of Flash is always available from the Flash download page, but be sure not to be tricked into installing other third-party “optional offer” products at the same time (an irritating habit of Flash’s install program).
But I would also recommend going further than this, and enabling Click-to-Play, one of the best ways to protect yourself against criminals exploiting vulnerabilities in Adobe Flash.
Of course, the ultimate step is to see whether you can survive on the web without Flash at all. An idea that is becoming increasingly attractive.
Further reading:
- Adobe patches Flash against zero-day vulnerabilities
- All versions of Firefox are blocking Flash by default. No-one cries
As an alternative to click-to-play , which will render some pages I frequently need useless from a practical point of view, I have installed a Chrome extension called Flashblock, since it allows to manage white/blacklists as well. http://bit.ly/1DbL1EG Of course there are more Chrome extensions that do the same, this is not to say that this one is the best or the only one (no I’m not affiliated with the coder of this Extension either :-)
Should the flash-platform of a white-listed site be compromised, of course you're just as screwed as otherwise. Still, when using it wisely, I prefer such a blocker instead of the native click-ro-play option.
Any views to the contrary: let me know!
There is one improvement to your suggestion (I personally use FF and NoScript even though I dislike Mozilla.. I hate Google and in any case there are some technicalities that are besides the point which is that add-ons are definitely useful); your suggestion is sound, but: use both an add-on to block (in your case flash) and you also use click to play. Yes, it involves one more step but it protects you a bit more (if ever there is a flaw in the add-on or even click to play or whatever else, you have both layers). Even if both layers are working correctly, the more explicit you are, the better (more specifically you use a white list instead of a black list).
Thanks for your suggestion, I will consider (though I might get a tired finger ;o)
Yes, it can be a hassle indeed. But that is an unfortunate part of security; finding that balance 100% of the time for 100% cases is impossible (and it is hard enough to get it right for individual cases). I am personally quite used to NoScript but it definitely isn't for everyone (I'd guess it isn't for most people even). Even I can get annoyed with it but that is being annoyed at sites that use many scripts that refer to other scripts (on other sites.. which might also refer to other sites, which might refer to other sites…). It all comes down to what convenience you're willing to sacrifice.
I would urge people to protect themselves with some decent anti-exploit software (e.g. EMET or MBAE) as this mitigates against the underlying techniques used to exploit Flash and other software.
Of course, PATCH when a new version of Flash/*insert your favourite software here* is released but have the additional protection on your computer should it be needed.
Here's an article on how Malwarebytes Anti-Exploit protected against the latest Flash vulnerabilities.
https://blog.malwarebytes.org/exploits-2/2015/07/neutrino-ek-leverages-latest-flash-0day/
Their free version works just fine, unless you need the additional protection for Microsoft Office:
https://www.malwarebytes.org/antiexploit/
@John – I'd urge people not to blindly click bit.ly links as they can blindly redirect you to a malicious page. The Google Chrome plugin link (for people who don't want to use the shortened URL) is:
https://chrome.google.com/webstore/detail/flashcontrol/mfidmkgnfgnkihnjeklbekckimkipmoe