Decision time: Uninstall Adobe Flash or install yet another critical patch
Hacking Team vulnerability fixed for Windows, OS X and Linux machines
Adobe has issued yet another update for Flash Player to patch a critical vulnerability revealed in documents leaked from spyware maker Hacking Team.
The update patches 36 CVE-listed flaws, including the hacking Team's CVE-2015-5119 bug – which can be exploited by a malicious Flash file to run malware on a victim's system. Some of the other 35 programming cockups also allow hackers to pull off remote-code execution attacks on vulnerable computers.
Users of Flash Player for Windows, OS X, and Linux are all advised to update to the latest version of Flash, though the update is only considered a top priority for Windows and OS X users. The CVE-2015-5119 bug is being exploited in the wild right now by crims, who are using the flaw to infect people's PCs.
An alternative is to just uninstall or disable the plugin, which has been riddled with security holes for years, or tell your web browser to only run Flash files if you right-click over them and select "run this plugin" (it's usually called click-to-play.)
"These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system," Adobe said.
"Adobe is aware of a report that an exploit targeting CVE-2015-5119 has been publicly published."
That flaw was made public when a hacker owned the servers of hacking Team, an Italian surveillance-ware developer. Along with the exploit code, the leaked data showed a list of government regimes who had purchased and asked for support on spyware tools.
The patched software will include Flash Player for Windows and OS X 188.8.131.52, Flash Player Extended Support Release 184.108.40.2062, Flash Player for Linux 220.127.116.111, Flash Player for Chrome 18.104.22.168 (Windows/OS X) and 22.214.171.124 (Linux), Flash Player for Internet Explorer 126.96.36.199, and Flash AIR 188.8.131.52.
Users are entirely justified in getting a sense of deja-vu on this latest update. The Adobe fix comes just a couple weeks after Adobe issued another emergency patch for Flash Player. Infosec bods have suggested that, in many cases, users and administrators would be better off deleting or disabling Flash Player than having to deal with the constant updates. ®