Background
On Feb. 6, a new critical vulnerability was announced for Adobe Flash Player versions 28.0.0.137 and earlier. Adobe reported that this vulnerability was being exploited in the wild and categorized the severity of this vulnerability as “Critical."
Adobe released an update on Feb. 8 to version 28.0.0.161 that addressed these vulnerabilities.
Impact
This vulnerability can be exploited even by users not browsing the web. Malicious emails could also exploit the vulnerability.
If successfully exploited, the vulnerability allows an attacker to gain control of the affected system and install malware.
Platforms affected
Flash Player 28.0.0.137 and earlier.
Local observations
Those managing systems that are not part of Unified Device Management and are not using Secunia's CSI and a local WSUS server should update Flash to the latest version.
UISO recommendations
- Uninstall Flash, or Disable flash until needed.
- Enable Flash's click-to-play in your browser.
- Update Flash to the latest version.
- Only open attachments from trusted senders. As a sender: When appropriate, consider using Box or some other collaborative technology to share file attachments rather than sending them through email.
- Consider digitally signing email in order to help recipients distinguish between mail legitimately sent by you and fakes; this helps users know when to distrust attachments.
- Enable auto-updates to limit the exposure time to any Flash vulnerability