Another Hacking Team Flash Player 0day Uncovered (UPDATED)

New Flash Player Zero-Day in The Wild (updated)

Update(2): 10/16

Adobe releases a fix to patch this vulnerability with Flash Player version 19.0.0.226. You should download the latest version immediately if you are using Flash.

Adobe_update

Update: 10/16

The Flash zero-day was actually reported by a Google engineer two weeks prior to it being found in the wild.  from Google Project Zero initially posted a report on Sept 29th.

Flash_report

– –

A new Flash Player zero-day has been found in the wild and is being used in targeted attacks. Adobe has published a security bulletin and said it expects to release a patch during the week of October 19.

bulletin

The vulnerability which has been assigned as CVE-2015-7645 is rated critical and affects Adobe Flash Player 19.0.0.207 and earlier versions.

This means that even if you are running the latest version of this program, you are still vulnerable and can get infected by simply browsing the web, even on sites that you trust.

2015 has been a very bad year for the Flash Player and given that a patch won’t be available for several more days it is crucial to take immediate action to protect yourself. Indeed, this window of opportunity is something that exploit kit authors have taken advantage of in the past to infect scores of end users

Now is the time for you to seriously consider disabling or removing the Flash Player from your browser. For those that can’t do without it (many sites still require it), we strongly recommend that you use an exploit mitigation tool such as Malwarebytes Anti-Exploit.

We will keep you posted of further developments on this new zero-day.

ABOUT THE AUTHOR

Jérôme Segura

Principal Threat Researcher