pixel_dreams - Fotolia
Security experts advise uninstalling Adobe Flash after the discovery of another zero-day vulnerability that affects all versions of the software on all platforms and is being exploited in the wild.
Just hours after releasing its monthly security update, Adobe issued a security bulletin warning about a critical vulnerability being exploited by hackers to install malware.
“A critical vulnerability (CVE-2015-7645) has been identified in Adobe Flash Player 18.104.22.168 and earlier versions for Windows, Macintosh and Linux,” the security bulletin said.
“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” it continued.
Adobe plans to release an emergency patch to fix the vulnerability, but this is not expected before 16 October 2015, which means all users of Flash will remain vulnerable until then.
The vulnerability was discovered by researchers at security firm Trend Micro who found it is being exploited by cyber espionage group Pawn Storm that typically targets military, government and media organisations.
According to Trend Micro, the latest Pawn Storm campaign has targeted several foreign affairs ministries, sending emails pointing to web pages containing the Flash exploit.
Flash’s poor security track record has prompted calls for the software to be retired.
In January 2015, YouTube announced it would stop serving videos using Flash to anyone with a browser that supported modern streaming technology. In July Mozilla’s Firefox browser started blocking Flash by default and a month later Google announced that its Chrome browser would no longer play ads made using Flash automatically. Amazon also announced it would block the use of Flash in advertising on its sites.
Read more about zero-day exploits
- Google has come under fire for publishing a proof-of-concept attack exploiting a flaw in Windows 8.1 before Microsoft had released a security update
- Exploits of latest Adobe Flash Player zero-day vulnerability highlight threat to the enterpriseof web-based exploit kits such as Angler
- The hacking black market is outbidding legitimate IT firms for disclosure information onzero-day exploits, according to a report from thinktank Rand
Some security experts have advised disabling Flash or removing the plug-in altogether, particularly after the announcement of the latest zero-day vulnerability.
While a growing number of Flash users are deciding to remove the plug-in, independent security advisor Graham Cluley said most computer users are not ready to go that far.
But anyone unwilling to remove Flash should consider enabling “click to play” in their browser, he said, to prevent it from rendering potentially malicious Flash content automatically.
“Even though your own personal computer and business network may not be in the list of Pawn Storm’s targets, sooner or later you are going to have to address the Flash problem on your personal and work computers,” Cluley wrote in a blog post.
“Start planning what you are going to do now, because with the constant barrage of newly discovered Flash exploits it doesn’t seem sustainable for the status quo to continue,” he added.