Security

KILL FLASH WITH FIRE until a patch comes: Hacking Team exploit is in the wild

It's out there - and you're wide open to it

So it's confirmed: the Adobe Flash vulnerability revealed in the Hacking Team hack is out in the wild being used, and there's no patch yet. Flash users beware!

Two sources, Malwarebytes and Malware Don't Need Coffee, have documented updates to the Neutrino exploit kit and Angler exploit kit, respectively. Both kits, which are installed on compromised websites by criminals to infect passing web surfers, now exploit the new Flash bug to execute malicious code on victims' computers.

Malwarebytes, which had already warned the exploit would be weaponised quickly, notes: “This is one of the fastest documented case of an immediate weaponisation in the wild, possibly thanks to the detailed instructions left by Hacking Team.”

The company shows the exploit working in Firefox:

Firefox exploit from Malwarebytes

Malwarebytes' demonstration of the Neutrino exploit kit in action

Don't Need Coffee corroborates, showing the Angler exploit kit “successfully exploiting IE11, win7 x64 Flash 18.0.0.194”.

Don't Need Coffe's Angler EK demo

Malware Don't Need Coffee - Angler exploit kit demonstration

The emergence of the live exploits came to this scribe's attention via @SwiftOnSecurity:

Adobe expects its fix to land on July 8. ®

Sponsored: The Nuts and Bolts of Ransomware in 2016