WavebreakmediaMicro - Fotolia

Adobe patches Flash Player vulnerability CVE-2015-3113

Security updates for Adobe Flash Player for Windows, Macintosh and Linux address vulnerability CVE-2015-3113 that allows attackers to control the system

Adobe has issued emergency patches to fix a major security hole in its Flash player, which is already being exploited in the wild.

The security updates for Adobe Flash Player for Windows, Macintosh and Linux address a critical vulnerability (CVE-2015-3113) that could allow an attacker to take control of the affected system.

Adobe warned that systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets.

The company recommended users update their product installations to the latest versions.

Flash and Java provide easy attack vectors for hackers. And many site developers are actively moving to HTML 5 and JavaScript, giving them greater portability and compatibility across desktop, mobile and tablet devices. YouTube, for instance, now offers a non-Flash video player.

At the same time, Google Chrome will no longer support Java, older versions of Flash or Silverlight that use the NPAPI plug-in interface.

With many businesses still using Flash and Java internally on their intranets, enterprises are at risk from web-based exploit kits such as Angler.

Craig Young, security researcher at Tripwire, said: "Flash, along with ActiveX and Java, are remnants of the 1990s 'Web 2.0’ technology boom. The nature of these technologies allowed attackers to run code directly on remote computers and revolutionised the attack surface of the internet.

"The has been a constant barrage of vulnerabilities in all Web 2.0 technology, as well as a constant stream of ‘update’ messages to users. This has given way to a newer and very successful form of attack wherein the attacker spoofs an update message tricking users into downloading malware. 

"These tricks can be particularly effective, as illustrated by the 2012 Flashback malware which exploited Java on roughly 600,000 Apple computers in the 6 weeks it took for Apple to respond with patches."

Since Java 8 was released in March 2014, it has been updated over seven times. In a locked-down enterprise IT environment, where users do not have admin rights, each time Adobe or Oracle releases a patch, IT needs to roll out a patch. Often the patch will need testing, since it could break the very applications that require the Java or Flash plug-in.

Read more about patch management


Read more on Web application security