As I write this, if you’re running Adobe Flash on your Windows, Mac, Linux or Chrome OS computer you’re potentially at risk.
Adobe has issued a security advisory, warning of an as-yet unpatched critical security hole in its popular Flash player software that is reported to being actively exploited by criminals in the wild.
No detailed information about the zero-day exploit (known as CVE-2016-4117) has yet been released. However, I don’t think anyone would be surprised if we heard that the unpatched vulnerability was being exploited in malvertising campaigns or watering hole attacks, perhaps in co-ordination with something like the notorious Angler Exploit Kit.
No doubt we will learn more about the nature of the attacks in the coming days, as Adobe says that it hopes to release a security update for the software this week (most likely it will arrive later today).
For now all we know are the curt details shared by Adobe in its advisory:
A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player 220.127.116.11 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
Obviously it makes sense to run a layered defence on your computer systems, which includes keeping your anti-virus and other software updated.
But more than that, you may wish to take this opportunity to consider your relationship with Adobe Flash – which has been troubled with flaws and malicious attacks many times over the years.
Even if you’re not ready to completely uninstall Flash, you may wish to consider enabling “Click to Play” in your browser to reduce your attack surface.
With “Click to Play” enabled, your browser won’t render potentially malicious Flash content unless you give it the go-ahead. In other words, a maliciously coded Flash file will not execute unless you give it explicit permission, rather than automatically running when you visit a poisoned webpage.
If you decide to keep Flash, make sure that it is being kept up-to-date on your computers. You can either rely on Adobe’s own automatic updates (which I find are sometimes rather slow to register that there is a new version available) or trigger one manually.
Mark James, security specialist at ESET UK, offers the following advice:
“Adobe flash is still found on way too many machines. It’s one of those programs that’s often not actually used as many vendors see it as a huge security problem. The program itself is one of many that users will leave on their machine without actually using it or understanding the security risk. As with all software these days you need to keep them on the latest versions or better still uninstall it if you don’t need it. Having a regular updating Internet security product will help to keep you safe.”
Oh, and if you don’t use Adobe Flash don’t feel too smug. There are plenty of other critical security vulnerabilities being found in software from other vendors all the time.
Just this week, for instance, Microsoft released an urgent fix for a zero-day vulnerability in its JScript and VBScript engines, used by the likes of Internet Explorer, and thought to have been used in targeted attacks against South Korea.
by Graham Cluley, ESET We Live Security