Leviathan Security Group - Penetration Testing, Security Assessment, Risk Advisory

View Original

Guidance - Flash Vulnerability CVE-2015-5119

During the Hacking Team breach which came to light earlier this week, a large quantity of Hacking Team's internal data was posted online.  Some of this data pertained to a 0-day (a vulnerability which the vendor is not aware of) in Adobe Flash (versions 9 through to 18.0.0.194) (CVE-2015-5119) which allows an attacker to execute code on a victims computer if they browse to a website with a malicious flash file embedded.  A user browsing to an affected site could be compromised without performing any further actions, even if they are using Microsoft's Enhanced Mitigation Experience Toolkit (EMET).

The leaked information on the Flash exploit was comprehensive enough that it was simple for a person of sufficient technical skill to read the (now publicly available) information to recreate this exploit themselves; that is exactly what has happened.  This exploit quickly appeared in many of the attack toolkits popular with online criminals, making it available to a large number of people, and is now being actively used to exploit computers running Adobe Flash.

Due to the nature of 0-day vulnerabilities, there was no patch available initially; however, Adobe has since released version 18.0.0.203 to address the vulnerability.  Users who use Adobe Flash are strongly advised to upgrade ASAP.  As with any other browser plugins, if you do not use Flash, it is sensible to disable or remove it from your browser to ensure that the browser is not affected by any future vulnerabilities in the product.  Users who continue to use Flash should enable click to play, which configures the browser to require that the user consciously click to enable flash on a webpage rather than having it automatically run.  By using this option users will not execute embedded Flash objects other than those that they specifically choose, which reduces their exposure to this type of attack.