Adobe Flash And Internet Explorer Threat Advisory Alert

As many of you may have heard, Adobe Flash has recently been revealed to be susceptible to three new zero-day vulnerabilities.

A zero-day, or 0-day, is a vulnerability that has already been exploited by hackers prior to the vendor becoming aware of its existence. Ars Technica explains the situation here. As you’ll see, this rightfully has the security world’s attention. Cisco researchers have found that these exploits are being served by at least 1800 domains, many of whom appear to be legitimate, though hijacked. Cisco’s research is available here.

Dunbar Cybersecurity is working with our technology partners to ensure the safety of our clients’ networks. However, as Adobe has not yet fully patched against the latest threat, we advise our customers to:

  1. Ideally, disable Flash within their organizations
  2. If Flash is necessary, allow it only in Google’s Chrome Browser, as it is known to be secure against this attack. Internet Explorer and Firefox, conversely, have been proven to be vulnerable

On a similar note, an 0-day in Microsoft’s Internet Explorer was also released today, enabling a hacker to execute a cross-site scripting (XSS) attack. Though XSS attacks will not deliver malware to a user’s machine as the aforementioned Flash vulnerabilities will, they may allow an attacker to steal a user’s session (for example, with his online banking platform) to pose as the user. Our partner, Sophos, has written about this vulnerability here.

As more information becomes available, we will continue to update this threat advisory. If you have any questions or concerns, please do not hesitate to contact your support manager or by calling 855-312-7618.

UPDATE:

Adobe has issued an emergency security update for its Flash Player software.  The newest update, version 16.0.0.305.  This is a fix to addresses a critical security bug (CVE-2015-0313). Adobe said it is are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.

Click this link to see which version of Adobe Flash Player you currently have installed.  If you are using multiple browsers (IE, Firefox, etc.) you may have to run the patch installer twice.