Home   About Us    Services and Products   Support   Contact Us

Support Overview

Help Desk

Online Service Request

Emergency IT Support

Security Alerts

Computer Usage Tips

Security Alerts

Security Warning: Patch for Adobe Flash Player Vulnerability Being Exploited in The Wild
6/23/2015

Adobe released a so called "out of band" patch for Flash Player to remove a vulnerability that is being actively exploited in the wild via large scale, targeted attacks against specific industries.  Google Chrome browser and Windows 8 and later include Flash Player built-in.  They will need to be updated separately.

Our Managed Care customers have been patched with an emergency deployment.

ITPS recommends that Adobe Flash Player users update to the latest version as soon as possible.  That includes installing a patch for Google Chrome and Windows 8 or later, if appropriate.

Threat Level

Warning:  Vulnerability is being actively exploited on the Internet.

(A "warning" alert is for a situation that is currently occurring or conditions are right for the situation to occur soon.)

Severity:  High. An exploit could potentially allow an attacker to take control of the affected system.

Because Flash is ubiquitous, we will likely see many other attacks over the coming months that will attempt to exploit this vulnerability.

Affected Software

  • Adobe Flash Player 18.0.0.161 and earlier versions for Windows and Macintosh are affected.  
  • Adobe Flash Player Extended Support Release version 13.0.0.292 and earlier 13.x versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.466 and earlier 11.x versions for Linux
The Adobe Flash Player browser plug-in is available for multiple web browsers and operating systems, any of which could be affected.

CVE number: CVE-2015-3113

How Are Systems Compromised?

The current exploit is using in a phishing campaign.  The attackers’ emails included links to compromised web servers that served either benign content or a malicious Adobe Flash Player file that exploits CVE-2015-3113.

How Do I Protect My Computer

If you’re unsure whether you have Flash Player installed or what version you are running, browse to the Adobe Flash Player about page, which will show whether Flash Player is installed or not and the version if it is installed.

Enabling Automatic Updates in Windows will not get the patch for Flash Player (non-Microsoft products) for systems running Windows 7 or earlier or most alternate browsers. You can configure Flash Player for auto-update notification, but it might check only once every 30 days (plenty of time to get exploited) and, even with that notification, you might have to take manual action (such as clicking the notification in the sys tray) to install the update.

Install the latest version of Flash Player (18.0.0.194) from
http://get.adobe.com/flashplayer/.

Beware of potentially unwanted software add-ons, like McAfee Security Scan or browser bars, and uncheck the pre-checked box(es) to avoid installing the potentially unwanted software.  (A licensed download intended for enterprise deployments is available that does not include any add-on software.)

If you use a browser other than Internet Explorer (IE) or Chrome, you might need to install an edition of this patch twice, one edition for IE and another edition for alternative browsers (Firefox, Opera, e.g.).

If you are running Windows 8 or later, Windows RT, or Windows Server 2012 or later and you have Windows Automatic Update enabled, the required patch should automatically be installed.  Otherwise install patch Microsoft Security Update for Internet Explorer Flash Player (KB3074219).

To force the installation of an available update in Chrome, click the triple bar icon to the right of the address bar, select “About Google Chrome”, click the apply update button, and restart the browser.

More Information

Security Advisories
Adobe Security Advisory: https://helpx.adobe.com/security/products/flash-player/apsb15-14.htmll
US-CERT: http://www.kb.cert.org/vuls/id/451380

Blogs
Adobe Product Security Incident Response Team:
http://blogs.adobe.com/psirt/?p=1210
FireEye Blog:
https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html

Kerbs on Security blog:
http://krebsonsecurity.com/2015/06/emergency-patch-for-adobe-flash-zero-day/

Managed Services

IT Professional Services deployed the Flash Player update at all of our customers of Managed Care. Managed Care customers are protected from this vulnerability.

Professional Services

If you need assistance installing protection from this vulnerability or a security assessment, IT Professional Services can help. Call our help desk.

Find out more about our managed care service.

To find out how vulnerable your network is schedule a free network security analysis today.

We at IT Professional Services (ITPS) hope that the information in this blog is valuable to you. ITPS believes the information provided herein is reliable. While care has been taken to ensure accuracy, your use of the information contained in this bulletin is at your sole risk. All information in this bulletin is provided "as-is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the bulletin are authored, recommended, supported or guaranteed by ITPS. ITPS shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

Privacy Policy

© 2009-2013 IT Professional Services All rights are reserved.  (805) 650-6030