Last week, Adobe issued an emergency security patch fixing a critical flaw in its Flash Player that could allow a remote hacker to take complete control of Windows, Mac and Linux computers.
At the time of public disclosure, it was believed that the vulnerability (known as CVE-2015-3113) was being exploited by a Chinese hacking gang known as APT3.
According to Fireeye, the APT3 gang was launching limited targeted attacks via email to organisations in a number of industries (including defence, aerospace, construction, high tech and telecoms) in order to open backdoors onto their computers for the purposes of spying and stealing information.
Things got more serious this weekend, however, when independent malware researcher Kafeine reported that the CVE-2015-3113 Flash flaw had also been incorporated into the Magnitude and Angler EK exploit kit.
The fact that a method of exploiting the Flash vulnerability has now been built into malware kits that any malicious hacker could potentially use, makes the threat much more significant – as a wider number of criminals can now easily exploit it.
At the time of writing, it appears that malicious hackers are using the exploit to infect computers with versions of the Cryptowall ransomware.
Adobe says the following versions of Adobe Flash are vulnerable to the exploit:
- Adobe Flash Player 188.8.131.52 and earlier versions for Windows and Macintosh
- Adobe Flash Player Extended Support Release version 184.108.40.2062 and earlier 13.x versions for Windows and Macintosh
- Adobe Flash Player 220.127.116.116 and earlier 11.x versions for Linux
According to Adobe, “systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets.” That’s an admission, perhaps, that Windows 8 and above do a better job of preventing exploits like this from working – and a loud and clear warning to organisations who are still stuck riskily running Windows XP way past its use-by date.
Adobe recommends users update their product installations to the latest versions:
- Users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh should update to Adobe Flash Player 18.104.22.168.
- Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 22.214.171.1246.
- Users of Adobe Flash Player for Linux should update to Adobe Flash Player 126.96.36.1998.
- Adobe Flash Player installed with Google Chrome and Adobe Flash Player installed with Internet Explorer on Windows 8.x will automatically update to version 188.8.131.52.
Be aware that although Adobe has had a patch out for this flaw for a few days, and that the company does (eventually) automatically roll out patches these days, it can often be a good idea to check manually if an update is available to be on the safe side.
If you are not sure which version of Adobe Flash you are running on your computer, visit this Adobe webpage which will tell you.
The most recent version of Flash is always available from the Flash download page, but be sure not to be tricked into installing other third-party “optional offer” products at the same time (an irritating habit of Flash’s install program).
But I would also recommend going further than this, and enabling Click-to-Play, one of the best ways to protect yourself against criminals exploiting vulnerabilities in Adobe Flash.
Of course, the ultimate step is to see whether you can survive on the web without Flash at all. That’s something security reporter Brian Krebs recently attempted for a month, and it seems he didn’t miss it!
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
8 comments on “Patch Adobe Flash urgently, or risk being attacked via the Magnitude exploit kit”
I've honestly not missed anything by having Flash disabled. Most websites (like YouTube) render in HTML5 which is not just more secure but more stable.
The only time I enable Flash is on a trusted webpage when there's no alternative and I really need to see the content. Doing this (assisted by click-to-play) along with effective anti-exploit mitigation has kept me safe so far – fingers crossed.
For non-tech users, Adobe's automatic update for Flash Player is abysmal. I have seen two week+ waits and sometimes the next update is out and the previous one has not yet been installed. It's great for those who know how but the PC is sold as a consumer device and automatic updates are too rarely reliable, especially Flash. Thank goodness so few now use Oracle Java.
What really amazes me,is that such sloppy,perpetually unsafe software is still being used. Thankfully I am strictly Android,and never had flash. Google at least saw the light quite some time ago (-: And I have only had a few instances where there were no options but Adobe.
Tried an Adobe flash update this morning and it was a fail. Kept giving a message close Internet Explore which was closed out. Adobe needs to focus on updates instead of trying to load and force other programs on to your computer that has nothing to do with adobe flash player. Adobe failed to load Chrome then tried to update again it tried to upload Mcafee. Adobe can seem to understand that because their junk is no working right and causing trouble that they are rapidly getting ready to go the way of the Dinosaurs. Unable to adopt to the internet environment.
Malwarebytes Director of Special Projects tells me that Anti-Exploit Free will protect web browsers from this Adobe Flash buffer overflow.
I am NOT a shareholder of Malwarebytes, merely an enthisiastic user and customer.
I use this myself as per my first post. For those willing to pay the (little) extra you can pay to upgrade to the Premium version which protects more applications.
Or you can go free and use Microsoft's highly configurable EMET software but you need to know exactly how to configure it (it's not for novices). Setting the wrong options WILL cause incompatibility, freezing and programs not loading.
"…and a loud and clear warning to organisations who are still stuck riskily running Windows XP way past its use-by date."
Hi Cameron! How's everything at 10 Downing Street ? All good, I gather ? Did the UK government manage to upgrade all the XP systems ? Wouldn't want you to be at risk (or have your computers downed!) when you spent all that extra money (£5.5m!) to receive special updates for a year, so you would have more time to spend MORE money to upgrade systems.. so that you could save time and money. It's something like a recursive algorithm that doesn't break the problem in to smaller pieces, only that you presumably will in fact finish at some point if not already (but by spending more money than you had to).
Another option is to use a two browser based system. Remove Flash from your computer and have Firefox for day to day browsing, then if something requires Flash have a browser like Chrome on hand which has it built in + is automatically updated.