BANGALORE, INDIA: Symantec has confirmed the existence of a new zero-day vulnerability in Adobe Flash which could allow attackers to remotely execute code on a targeted computer.
Since details of the vulnerability are now publicly available, it is likely attackers will move quickly to exploit it before a patch is issued.
Details of the vulnerability surfaced following a cyberattack against the controversial Italian hackers-for-hire firm Hacking Team. Proof-of-concept code for exploit of the vulnerability was part of a large cache of internal information leaked by the attackers.
Given the source of the proof-of-concept code, it is possible that this vulnerability has already been exploited in the wild. Following its disclosure, it can be expected that groups of attackers will rush to incorporate it into exploit kits before a patch is published by Adobe.
Analysis by Symantec has confirmed the existence of this vulnerability by replicating the proof-of-concept exploit on the most recent, fully patched version of Adobe Flash (18.0.0.194) with Internet Explorer.
Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected computer.
Symantec regards this vulnerability as critical since it could allow attackers to remotely run code on an affected computer, effectively allowing them to take control of it.
Mitigation
Users who are concerned about this issue can temporarily disable Adobe Flash in the browser by taking the following steps:
Internet Explorer versions 10 and 11
Open Internet Explorer.
Click on the “Tools” menu, and then click “Manage add-ons”.
Under “Show”, select “All add-ons”.
Select “Shockwave Flash Object” and then click on the “Disable” button.
You can re enable Adobe Flash by repeating the same process, selecting “Shockwave Flash Object”, and then clicking on the “Enable” button.
Firefox
Open Firefox.
Open the browser menu and click “Add-ons”.
Select the “Plugins” tab.
Select “Shockwave Flash” and click “Disable”.
You can re-enable Flash by repeating the same process, selecting “Shockwave Flash”, and then clicking on the “Enable” button.
Chrome
Type “chrome:plugins” in the address bar to open the page.
On the Plug-ins page that appears, find the "Flash" listing.
To disable Adobe Flash Player completely, click the "Disable" link under its name.
To enable Adobe Flash Player, click the "Enable" link under its name.