On May 10, 2016, a new critical vulnerability was announced for Adobe Flash Player versions 126.96.36.199 and earlier. Adobe reported that this vulnerability was being exploited in the wild and categorized the severity of this vulnerability as “Critical". Threatpost.com published a notice of three exploit kits that have integrated code exploiting the vulnerability on May 23.
Adobe released an update on May 12 to version 188.8.131.52 that addressed these vulnerabilities.
If successfully exploited, the vulnerability allows an attacker to gain control of the affected system and install malware. Documented types include ransomware and credential stealing malware, including those that specifically target banking usernames and passwords.
At least one current delivery method works by spamming Office files which contain an embedded Flash file. This method can potentially avoid browser-based protective measures such as click-to-play or Flash suppressing plugins by enticing the user to download and execute the file outside the browser.
Flash Player 184.108.40.206 and earlier.
IU's Unified Device Management service updated Flash to version 220.127.116.11 on May 23. Computers that are part of the Global Patching Service should have received the update after 1 a.m. that day.
Those managing systems that are not part of Unified Device Management and are not using Secunia's CSI and a local WSUS server should update Flash to the latest version.
- Consider disabling Flash altogether if possible.
- Update Flash to the latest version.
- Enable "click-to-play" in your browser.
- Only open attachments from trusted senders. As a sender: When appropriate, consider using Box or some other collaborative technology to share file attachments rather than sending them through email.
- Consider digitally signing email in order to help recipients distinguish between mail legitimately sent by you and fakes; this helps users know when to distrust attachments.