Security Advisory: Adobe Flash Player
Update: Adobe has released an updated version of Flash Player that fixed this vulnerability. Download it through normal update channels, or manually here: https://get.adobe.com/flashplayer/
On Tuedsay July 7th, Adobe identified a critical vulnerability affecting all current versions of Adobe Flash Player, allowing the distribution of malicious software simply by browsing the web.
Protecting Yourself from Attack
- Install Malwarebytes Anti-Exploit. Malwarebytes has confirmed that users of it’s Malwarebytes Anti-Exploit (MBAE) software are protected from this, and many other attacks. MBAE is seperate from the standard Malwarebytes Anti-Malware, and can be downloaded directly from Malwarebytes here:
- Enable Click-To-Run for Browser Plugins. This will prevent all potentially-dangerous interactive content from running without user-interaction. Here’s an easy all-in-one guide from How-To Geek:
- Keep all plugins up-to date. It is important that plugins (such as Adobe Flash, Java, Silverlight, etc.) be kept up-to date at all times.
Please be aware that as of writing, there is no version of Adobe Flash that is protected against this particular attack.
On July 6, 2015, a group known as “Hacking Team” publicly released a Flash 0day exploit which allows arbitrary code execution on any machine running flash player. The exploit was quickly implemented in several exploit kits (Angler EK, Neutrino, Nuclear, etc.), and is being used to distribute malicious software, such as CryptoWall. On July 7, Adobe identified the vulnerability and published a security bulletin, assigning the exploit CVE-2015-5119 and a severity rating of critical. They expect to release a fix for the issue sometime on July 8, 2015.
- Adobe Security Bulletin
- MalwareBytes Anti-Exploit
- How-To Geek: How to enable click-to-play plugins in every web browser