Emergency Update For Adobe Flash, Which Is Having A Really Bad Year

Adobe Flash - get the latest security update!

Hackers got an unexpected present this week: a vulnerability in Adobe Flash that can be used to break into PCs, along with detailed instructions about how to use it. Adobe issued a patch within 24 hours, so you’re safe as long as you get the update promptly.


Practical details

Adobe Flash - version checker

Go to the Adobe Flash version checker in each browser you use regularly. If you have version 18.0.0.203 or later, you are safe. If you have an earlier version, get the latest Flash update from here. Don’t forget to uncheck the boxes for the crapware that Adobe will attempt to bundle with Flash!

If you are a subscriber to Bruceb Remote Management, you’ll get this update next Tuesday but don’t wait – take a minute and go check it out now. This one is worth doing as soon as possible.

The patch is sufficient protection for today, but Flash has become a frequent target. If you’re paranoid and willing to give up Flash content on websites, you can disable it on all websites by following the instructions here: http://www.howtogeek.com/188059/how-to-enable-click-to-play-plugins-in-every-web-browser/  I don’t recommend that; I don’t think Flash is enough of a threat to justify the inconvenience. But we may revisit that if this keeps up.


Background

Hacking Team is a shadowy Italian company that supplies digital spying tools to governments around the world, including the FBI and other US law enforcement agencies. It is the kind of company that makes you despair for the human race. It sells tools to infect computers, steal files, read emails, take photos, and record conversations. Its clients include repressive regimes around the world that use the hacking tools against dissident groups.

Hacking Team was hacked. On Sunday, hackers released a huge trove of files stolen from the Hacking Team servers. The released info is ugly – its products are used for evil ends and its methods are repellent. Here are some details about that if you need a dose of despair.

But it got worse. The released files included vicious hacking tools intended for use by government agencies like the US Drug Enforcement Agency. One of them was a method of attacking Adobe Flash that would allow a computer to be taken over if you did nothing more than go to a poisoned website or clicked on a malicious email attachment. The Flash vulnerability was previously unknown; there are hints in the leaked files that suggest Hacking Team may have been using it for some time.

Hackers immediately weaponized the Flash vulnerability and packaged it into kits that could be used to deliver viruses like Cryptolocker. By Tuesday afternoon, hacking kits targeting the Flash bug were being spotted in the wild, with no patch available. That’s referred to as a “zero-day exploit”, and it’s the scenario that makes security experts break out into a sweat. Malwarebytes called it “one of the fastest documented cases of an immediate weaponization in the wild, possibly thanks to the detailed instructions left by Hacking Team.”

Adobe Flash hack - zero day delivering Cryptolocker

Adobe released its update on Wednesday to patch the vulnerability. Its update mechanisms have improved and you may already have the update. Chrome handles Flash by itself, for example, and Chrome is quite good at installing updates automatically and quickly.

The problem is that Adobe Flash appears to be the punching bag for hackers in 2015. It’s the same process that Java went through in 2012/2013 – repeated attacks, repeated security risks, nonstop updates in futile attempts to stay ahead of the bad guys. The result was that Java stopped being used by developers and was uninstalled from many computers without being missed. The same thing may happen to Flash if this keeps up.

Adobe had to release an emergency Flash update in June to address a vulnerability that was being actively exploited by bad guys. There is a thriving market for exploit kits that hackers can buy as if they’re browsing the shelves at Best Buy, and the Adobe Flash exploits are hot sellers this year. After the June exploit appeared, a Malwarebytes researcher said, “We can expect other exploit kits to follow suit very soon and start delivering this latest vulnerability. Without a doubt, this is the year of Flash zero-days . . .”

There had previously been an emergency update for Flash in February and another one in April for zero-day vulnerabilities, and Adobe has been frantically releasing more routine monthly patches as well.

Install the Flash update and make sure you stay up to date with Windows, Office, and the programs installed on your computer. And remember that there are two proven ways to be safe online:

•  Subscribe to Bruceb Remote Management and install the agent on all your computers to get the latest updates for Flash and other utilities installed automatically.

•  Follow the Rules For Computer Safety.

Be careful out there!