Adobe has released patches for its Flash software to fix a pair of critical security vulnerabilities exposed by the Hacking Team megabreach. The bugs can be exploited to hijack PCs and infect them with malware – and crooks are already doing just that, so apply the updates now.
The security bulletin for Adobe Flash Player (APSB15-18) addresses both zero-day vulnerabilities (CVE-2015-5122, CVE-2015-5123). Version 18.104.22.168 Flash Player and associated browser plugins for Windows, Macintosh and Linux replace earlier releases, and constitute a critical update on affected systems.
Adobe was obliged to plug Flash last week because of an earlier 0-day which also emerged from the Hacking Team leak. Flash software is frequently targeted by cybercrooks and spies, prompting growing calls in the security community to ditch the technology.
There have been 11 Flash updates this year alone, and six have come outside Adobe's regular patching cycle as hurry-up patches for zero-day flaws, according to data from the software developer. This is a high patching overhead so it's no great surprise that patience with Adobe is wearing thin.
Facebook's recently installed security chief has just called for timetable to kill off Flash, while Firefox took the unusually aggressive step on Monday of blocking Flash plugins by default pending the patch which has now arrived.
The Flash updates are especially important because exploits targeting these vulnerabilities have already surfaced, as even Adobe admits.
Although the Flash update heads the bill the latest software updates from Adobe will also include a critical update for Adobe Shockwave Player (APSB15-17). Windows and Macintosh versions of the software need updating to version 22.214.171.124 because of flaws identified by Fortinet's FortiGuard Labs that have not so far made it into the wild in the firm of active exploits.
Lastly, Adobe is also releasing updates for Adobe Acrobat and Reader (APSB15-15) to "address critical vulnerabilities that could potentially allow an attacker to take control of the affected system". Multiple bugs are resolved by the patches and Windows and Macintosh platforms are both affected, which sounds bad.
However Adobe attaches a patching priority of "two" to the updates compared to a higher priority of "one" to the Flash and Shockwave updates. ®