Background
On May 10, 2016, a new critical vulnerability was announced for Adobe Flash Player versions 21.0.0.226 and earlier. Adobe reported that this vulnerability was being exploited in the wild and categorized the severity of this vulnerability as “Critical". Threatpost.com published a notice of three exploit kits that have integrated code exploiting the vulnerability on May 23.
Adobe released an update on May 12 to version 21.0.0.242 that addressed these vulnerabilities.
Impact
If successfully exploited, the vulnerability allows an attacker to gain control of the affected system and install malware. Documented types include ransomware and credential stealing malware, including those that specifically target banking usernames and passwords.
At least one current delivery method works by spamming Office files which contain an embedded Flash file. This method can potentially avoid browser-based protective measures such as click-to-play or Flash suppressing plugins by enticing the user to download and execute the file outside the browser.
Platforms affected
Flash Player 21.0.0.226 and earlier.
Local observations
IU's Unified Device Management service updated Flash to version 21.0.0.242 on May 23. Computers that are part of the Global Patching Service should have received the update after 1 a.m. that day.
Those managing systems that are not part of Unified Device Management and are not using Secunia's CSI and a local WSUS server should update Flash to the latest version.
UISO recommendations
- Consider disabling Flash altogether if possible.
- Update Flash to the latest version.
- Enable "click-to-play" in your browser.
- Only open attachments from trusted senders. As a sender: When appropriate, consider using Box or some other collaborative technology to share file attachments rather than sending them through email.
- Consider digitally signing email in order to help recipients distinguish between mail legitimately sent by you and fakes; this helps users know when to distrust attachments.