Critical Adobe Flash, Windows zero-days leak from Hacking Team raid
Security teams scramble to patch serious flaws
From what we've seen so far, inside the leaked source code lies an Adobe Flash exploit for which no patch exists: it can be used against Internet Explorer, Firefox, Chrome and Safari, and affects Flash Player 9 to the latest version, 18.104.22.168.
. . .
Adobe told us in a statement today that it is working on a patch, which it hopes to release by the end of the week. The vulnerability is present in its plugin software for Windows, OS X and Linux.Security Advisory for Adobe Flash Player (APSA15-03)
A critical vulnerability (CVE-2015-5119) has been identified in Adobe Flash Player 22.214.171.124 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe is aware of reports that an exploit targeting this vulnerability has been published publicly. Adobe expects to make updates available on July 8, 2015.Note: As of this posting, CVE-2015-5119 remains unlisted at CVE.Mitre.org. Therefore, I cannot provide a link to its description.
Remove the Adobe Flash plug-in from your Mac NOW.
For those with an administrator password, this is how:
1) Open the root level Internet Plug-Ins folder, found here:
2) Locate these two files:
- Flash Player.plugin
3) Select them both and choose to "Move to Trash", either from the Finder File menu or the contextual menu. (Alternatively, you can move them both to a created holding folder, such as 'Internet Plug-Ins (Disabled).
4) Quit all your web browsers.
5) Reboot your web browsers.
- - EXCEPT Chrome! Do Not Use Google Chrome! Why? Because Google embedded Adobe Flash into Chrome. It's stuck there, and you can't get rid of it.
A) Use Chromium (of any flavor) instead. It does NOT include Flash. Everything else about it (except the default surveillance of your web behavior) is the same as Chrome.
B) Follow Google's instructions for turning OFF Flash in Chrome:After you've freed yourself from Adobe Flash, either stay that way (highly recommended) or keep an eye out of a new Adobe Flash update. Watch for a version of Flash higher than 18.0.0 194. That's the current bad version. Do not reinstall that thing again.
- Type chrome:plugins in the address bar to open the Plug-ins page.
- On the Plug-ins page that appears, find the "Flash" listing. To enable Adobe Flash Player, click the Enable link under its name. To disable Adobe Flash Player completely, click the Disable link under its name.
I'll also be posting another article here when Adobe fixes this latest zero-day exploit.