When it comes to patching software, Adobe Flash fixes may not be highest in priority for some organizations. Not for the latest one, however.
According to reports, a zero day attack leveraging the latest Flash vulnerability Windows 7 systems and below is already in one exploit kit, meaning the patch — issued June 23 — should be at the top of every CISO’s work list.
According to a blog post from a security researcher called Kafeine, the Magnitude kit is being used to implant a number of pieces of malware, including the Cryptowall ransomware.
Adobe said the patch, for Windows, Macintosh and Linux systems updates address a critical vulnerability (CVE-2015-3113) that could potentially allow an attacker to take control of the affected system. Systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets.
On Windows systems, the latest version of Flash desktop is 18.104.22.168. Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 22.214.171.1246. Adobe Flash Player installed with Google Chrome and Adobe Flash Player installed with Internet Explorer on Windows 8.x will automatically update to version 126.96.36.199.
Malwarebytes’ Jerome Segura also issued a warning Sunday about the Magnitude exploit. “For many users this is cutting it really short to be able to patch their software in due time. Without a doubt, this new exploit is going to wreak havoc on a large number of vulnerable machines.”
“Without a doubt, this is the year of Flash zero-days,” he adds, with many already suggesting completely uninstalling the Flash plugin. A compromise, he adds, is enabling “click-to-play” in all browsers/ a feature in all browsers that puts you in control to run the aforementioned plugin. A how-to guide is available here.