Last Friday, Adobe confirmed two new "critical" zero-day flaws in the Adobe Flash Player browser plugin 18.0.0.204 - and earlier versions - for Windows, Mac OS X, and Linux. Today, a third flaw was found. Adobe Flash Player is a widely distributed multimedia and application player used to enhance the user experience when visiting web pages or reading email messages.
We recommend disabling Flash until the bugs are fixed.
Three "critical" Flash zero-day flaws in Adobe Flash Player discovered
Security experts say the two flaws were found in stolen files that were dumped earlier this month from Hacking Team, an Italian security firm that sells communication interception and surveillance software to governments around the world. The third one came from the same documents.
"Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said in their blog. "Depending on the privileges associated with the user account targeted, an attacker could install programs on the system, alter or delete data, create new accounts with similar user rights, or cause a denial-of-service."
“Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly. Adobe expects to make updates available during the week of July 12, 2015,” the blog said.
We recommend you do the following:
- Remove or disable Flash until Adobe sends out a fix.
- Once a patch is released by Adobe, update immediately.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Avoid visiting websites or following links provided by unknown or untrusted sources.
- Avoid clicking on links contained in emails or attachments from unknown sources.
To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.
Affected systems:
- Adobe Flash Player 18.0.0.203 and earlier for Windows and Macintosh
- Adobe Flash Player 18.0.0.204 and earlier for Linux installed with Google Chrome
- Adobe Flash Player Extended Support Release 13.0.0.302 and earlier for Windows and Macintosh
- Adobe Flash Player Extended Support Release 11.2.202.481 and earlier for Linux