Update (07/07 11:55 AM PT): Adobe released a security bulletin about this vulnerability which is assigned CVE-2015-5119. A fix is scheduled for July 8.
– – – –
The security community was ablaze yesterday with the news of a massive data dump and hack of most controversial firm Hacking Team.
Hacking Team specializes in surveillance software which it resells to various governments around the world, and in particular to some oppressive regimes, a major issue that has activists outraged.
The data stolen from the firm contains several gigabytes worth of exploits, malware and other very sensitive information.
Among them, a new Flash Player zero day (CVE-2015-5119) affecting Flash Player up to version 18.0.0.194 was found and is making headlines.
We analyzed a copy of the exploit and can confirm that Malwarebytes Anti-Exploit users were already protected against this threat:
Without a doubt cyber criminals have already got their hands on it and will integrate it in their exploit kits soon.
Software vendor Adobe is said to be working on an emergency patch. In the meantime, you should be extremely cautious and either disable the plugin or make sure you are running anti-exploit mitigation software to protect yourself.
We will update this blog post with additional information as it comes through.
Yes I got the exploit warning in IE9, but not in Pale Moon 25.5? Could this be because I have click-to-play enabled and that I’m using Flash ESR (v13,0,0,296)??
Is it only Anti-Exploit Premium that stops the Flash exploits? I am using Anti-Exploit Free with Chrome and Firefox browsers. I don’t see Adobe Flash listed in the Anti-Exploits sheilds. Or does Anti-Exploit work with the Chrome plug-ins and the Firefox add-ons for Flash? Thanks for your great software.
The FF implementation may be different. Enabling click-to-play is a sound choice.
Hi Jim,
The Free version of Anti-Exploit will also block this 0day, and as you mention, also within browser plugins or add-ons. Cheers!