The year for Flash started with the CVE-2015-0310 security bulletin and the corresponding fix, version 188.8.131.527. Just as that fell into our hands, Adobe warned about yet another flaw with CVE-2015-0311 and delivered 184.108.40.2066 to the world. Now, in an effort to make this more humorous, Adobe has released CVE-2015-0313 along with the 220.127.116.115 update.
These rapid-fire, back-to-back problems are irritating. The issue is compounded by the hoops one has to jump through to update Flash. The Adobe Update tool only updates Internet Explorer or your Plugin Browser (e.g. Firefox), but not both at the same time. The updater also has a nasty habit of only checking for new builds after a full login—not after returning from sleep. Windows 8 and 8.1, meanwhile, rely on a completely different mechanism that pushes out Internet Explorer Flash updates via Windows Update. Your Plugin Browser in Win8 or 8.1 requires a manual update. And Chrome, unlike Firefox and IE, receives its Flash updates through a browser update mechanism. Got all that?
Malwarebytes is reporting that the latest exploit (CVE-2015-0313) has been under active attack since December 3. Part of the success has been fueled by exploit kits being sold online, making it easy for script kiddies to get into the game. What are the bad guys using it for? Invincea says the poison of choice is crypto ransomware. Given the ubiquity of Flash and the fact that malicious adverts are being pushed on trusted domains, this puts everyone at risk, including laymen and experienced user alike.
With the sad situation laid bare, let's get to talking about what we can do to close off this vulnerability.
- Use Chrome—Trend Micro found that the exploit cannot escape the Chrome sandbox.
- Disable Flash through your add-on/extension manager.
- Enable ActiveX Filtering in IE.
- Uninstall Flash.
- Update Flash to version 18.104.22.1685.
- Those of you on Windows 8 or 8.1, remember you will needed the latest KB.msu from Windows Update for IE once released.
- Use EMET and EPM for IE. This still needs more confirmation, but these tools have been helpful in the past and are confirmed to stop the CVE-2015-0311 vulnerability.
I have one more important detail to provide as I wrap this up. Normally, the PC world gets to enjoy such misery on its own, but this problem also exists for Mac users. Hi guys!