Background
On Dec. 15, a new critical vulnerability was announced for Adobe Flash Player versions 23.0.0.207 and earlier. Adobe reported that this vulnerability was being exploited in the wild and categorized the severity of this vulnerability as Critical." Threatpost.com published a notice of active exploits used against Internet Explorer.
Adobe released an update on Dec. 15 to version 24.0.0.186 which addressed these vulnerabilities.
Impact
This vulnerability can be exploited just by visiting a website using Internet Explorer.
If successfully exploited, the vulnerability allows an attacker to gain control of the affected system and install malware. Documented types include ransomware and credential stealing malware, including those that specifically target banking usernames and passwords.
Platforms affected
Flash Player 24.0.0.186 and earlier.
Local observations
Those managing systems that are not part of Unified Device Management and are not using Secunia's CSI and a local WSUS server should update Flash to the latest version.
University Information Security Office recommendations
- Uninstall Flash, or Disable flash until needed.
- Enable Flash click-to-play in your browser.
- Update Flash to the latest version.
- Only open attachments from trusted senders. As a sender: When appropriate, consider using Box or some other collaborative technology to share file attachments rather than sending them through email.
- Consider digitally signing email in order to help recipients distinguish between mail legitimately sent by you and fakes; this helps users know when to distrust attachments.