The hack of spyware company Hacking Team has unleashed yet more critical zero-day Adobe Flash vulnerabilities for which no official patches yet exist.
If successfully exploited, the two vulnerabilities could allow criminal hackers to hijack innocent people’s computers in order to steal information, plant further malware or launch attacks.
Critical vulnerabilities (CVE-2015-5122, CVE-2015-5123) have been identified in Adobe Flash Player 184.108.40.206 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly. Adobe expects to make updates available during the week of July 12, 2015.
According to Adobe, the vulnerable versions of Flash are:
- Adobe Flash Player 220.127.116.11 and earlier versions for Windows and Macintosh
- Adobe Flash Player 18.104.22.168 and earlier versions for Linux installed with Google Chrome
- Adobe Flash Player Extended Support Release version 22.214.171.1242 and earlier 13.x versions for Windows and Macintosh
- Adobe Flash Player Extended Support Release version 126.96.36.1991 and earlier 11.x versions for Linux
Technical details of one of the vulnerabilities (CVE-2015-5122) are described in a blog post by FireEye security researcher Dhanesh Kizhakkina.
Separately, Trend Micro discovered the other zero-day vulnerability (CVE-2015-5123), and recommended that users disable Adobe Flash until a patch becomes available.
These, and the earlier vulnerability, were uncovered in the files leaked from spyware firm Hacking Team.
Hacking Team, of course, was hoping to keep knowledge of the vulnerabilities out of the hands of Adobe so that it could continue to sell them to governments and law enforcement agencies around the world.
Unfortunately (for them) Hacking Team got hacked. Not the greatest advert for a company working in one of the shadier corners of the security industry.
If you are not sure which version of Adobe Flash you are running on your computer, visit this Adobe webpage which will tell you.
The most recent version of Flash is always available from the Flash download page, but be sure not to be tricked into installing other third-party “optional offer” products at the same time (an irritating habit of Flash’s install program).
But I would also recommend going further than this, and enabling Click-to-Play, one of the best ways to protect yourself against criminals exploiting vulnerabilities in Adobe Flash.
Of course, the ultimate step is to see whether you can survive on the web without Flash at all. An idea that is becoming increasingly attractive.