At the time of public disclosure, it was believed that the vulnerability (known as CVE-2015-3113) was being exploited by a Chinese hacking gang known as APT3.
According to Fireeye, the APT3 gang was launching limited targeted attacks via email to organisations in a number of industries (including defence, aerospace, construction, high tech and telecoms) in order to open backdoors onto their computers for the purposes of spying and stealing information.
Things got more serious this weekend, however, when independent malware researcher Kafeine reported that the CVE-2015-3113 Flash flaw had also been incorporated into the Magnitude and Angler EK exploit kit.
The fact that a method of exploiting the Flash vulnerability has now been built into malware kits that any malicious hacker could potentially use, makes the threat much more significant – as a wider number of criminals can now easily exploit it.
At the time of writing, it appears that malicious hackers are using the exploit to infect computers with versions of the Cryptowall ransomware.
Adobe says the following versions of Adobe Flash are vulnerable to the exploit:
- Adobe Flash Player 18.104.22.168 and earlier versions for Windows and Macintosh
- Adobe Flash Player Extended Support Release version 22.214.171.1242 and earlier 13.x versions for Windows and Macintosh
- Adobe Flash Player 126.96.36.1996 and earlier 11.x versions for Linux
According to Adobe, “systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets.” That’s an admission, perhaps, that Windows 8 and above do a better job of preventing exploits like this from working – and a loud and clear warning to organisations who are still stuck riskily running Windows XP way past its use-by date.
Adobe recommends users update their product installations to the latest versions:
- Users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh should update to Adobe Flash Player 188.8.131.52.
- Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 184.108.40.2066.
- Users of Adobe Flash Player for Linux should update to Adobe Flash Player 220.127.116.118.
- Adobe Flash Player installed with Google Chrome and Adobe Flash Player installed with Internet Explorer on Windows 8.x will automatically update to version 18.104.22.168.
Be aware that although Adobe has had a patch out for this flaw for a few days, and that the company does (eventually) automatically roll out patches these days, it can often be a good idea to check manually if an update is available to be on the safe side.
The most recent version of Flash is always available from the Flash download page, but be sure not to be tricked into installing other third-party “optional offer” products at the same time (an irritating habit of Flash’s install program).
But I would also recommend going further than this, and enabling Click-to-Play, one of the best ways to protect yourself against criminals exploiting vulnerabilities in Adobe Flash.
Of course, the ultimate step is to see whether you can survive on the web without Flash at all. That’s something security reporter Brian Krebs recently attempted for a month, and it seems he didn’t miss it!
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.