Yet another zero-day exploit in Flash led Adobe to issue another emergency Flash Player patch yesterday. This time, the update was in response to a critical security flaw that allows an attacker to install ransomware on a target’s computer, then extort the victim for money in exchange for returning control of the system back to the user.
Although Adobe said the only active attacks it was aware of were targeting Windows 10 and earlier machines running Flash Player version 22.214.171.1246 and earlier, the security update included fixes for Windows, Macintosh, Linux, and Chrome OS systems.
Exploit in the Wild
The company gave the majority of the updates included in the patch a priority rating of 1, its highest level. The only update considered non-critical was a patch for Adobe Flash Player for Linux, which received a priority rating of 3.
Proofpoint, one of the security research firms responsible for discovering the flaws, said that the vulnerability has the potential to expose more than 1 billion connected desktops to ransomware attacks. Proofpoint said that it discovered the vulnerability last week when the company found that it was being exploited by the Magnitude exploit kit, at which point it shared its findings with Adobe.
The exploit represents a significant risk for computer users as it is capable of hacking into the latest versions of the Flash Player, Proofpoint said. Nevertheless, Proofpoint said the exploit it discovered in the wild was only being used against older versions of the software.
“Despite the fact that this new exploit could potentially work on any version of Adobe Flash, including a fully patched instance of Flash, the threat actors implemented it in a manner that only targeted older versions of Flash,” the company wrote on its blog. “In other words, equipped with a weapon that could pierce even the latest armor, they only used it against old armor, and in doing so exposed to security researchers a previously unreported vulnerability.”
Still More Security Problems for Flash
The emergency security update is the second in as many months that Adobe has been forced to issue due to vulnerabilities with Flash Player. Similar to yesterday’s upgrade, the one issue in March also addressed vulnerabilities that could allow an attacker to take over a target's system.
Last month’s update came only a week after hackers took advantage of a Flash vulnerability to attack the AOL Ad Network with a nasty bit of malvertising. The attack affected popular Web sites such as the Huffington Post, GameZone and LA Weekly. Ads hosted on those sites from an AOL ad network redirected visitors to a site that exploited a Flash bug to download a Trojan onto users' computers.
At this point, it remains to be seen whether Flash’s reputation as a giant backdoor for hackers can get any worse. The company has already renamed Flash Professional as Adobe Animate CC, perhaps in part to distance itself from Flash Player.
Posted: 2016-05-21 @ 6:31pm PT
I'd like to know what PCH is doing about flash player when it is fazed out all together.
Posted: 2016-04-17 @ 8:53am PT
This is dated April 8, 2016. Furthermore, Flash is only active when the person allows the plugin to run, most of the times it's disabled. So everyone is not at risk, it's only those people which are constantly running the plugin 24/7. Also, people should stop visiting sites that they don't trust or clicking content or online files which are from a malicious host! Also keep Flash updated - if you follow these steps you are safe.
Posted: 2016-04-16 @ 8:10am PT
Horrible. So what do I need to do to play games like pogo and pch games? I am disappointed that u have not or do not consider the need to have another way. We the people have no way to play games. Are u serious? There is a way, I hope. Please resolve this, thank you.