Tuesday, July 21, 2015

Adobe Knew The Risks of Flash

Adobe Threat
A few weeks ago, Adobe acknowledged the threat posed by its Flash player for Windows, Mac, and Linux when it released a security bulletin confirming a vulnerability in all versions. The company even reported that it is aware of reports that an exploit targeting this vulnerability has been publicly published, and this is the reason why it released a paths on 8 July 2015.

The unpatched Adobe Flash security hole (CVE-2015-5119) was found by security researchers looking through the data leaked from Hacking Team, an Italian company renowned for providing surveillance software that helps governments hack digital devices and snoop on citizens’ online activities.

The leak (400GB of emails, source code, client lists, invoices, server backups, and so on) occurred after Hacking Team was itself hacked earlier.

Adobe did not say that the vulnerability is being exploited in the wild. The company did admit, however, that successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe confirmed the following versions are affected:
  • Adobe Flash Player and earlier versions for Windows and Macintosh
  • Adobe Flash Player Extended Support Release version and earlier 13.x versions for Windows and Macintosh
  • Adobe Flash Player and earlier 11.x versions for Linux
A few days later, security firm Symantec confirmed the vulnerability by replicating the proof-of-concept exploit on the most recent, fully patched version of Adobe Flash (

Competitor Trend Micro, which also detailed the discovery, notes that the Flash exploit was described by Hacking Team as "the most beautiful Flash bug for the last four years."

Given the number of Adobe Flash vulnerabilities that are discovered and exploited on a regular basis, it is recommended that the software is uninstalled and see if you can live without it. Most of the Web is moving away from Flash and towards HTML5 anyway.

No comments:

Post a Comment