Hackers are exploiting a new Flash vulnerability

Another day, another Flash vulnerability. A team of researchers at security company FireEye has discovered that a security flaw in Adobe Flash is being actively exploited as part of a large-scale e-mail phishing campaign.

The vulnerability in question is CVE-2015-3113, and it can allow an attacker to remotely execute arbitrary code. All major operating systems are vulnerable. Adobe has already issued a patch, which you should go and apply if you haven't already.

At least one group, which FireEye calls APT3, is actively exploiting this vulnerability. The group is sending out phishing emails with links pointing to compromised servers, which then prompt the user to download booby-trapped SWF and FLV files. FireEye claims that APT3 operates in a structured fashion with command-and-control centers, and targets high-profile targets such as aerospace, defense, and high-tech industries.

Comments closed
    • DrCR
    • 4 years ago

    I assume most of us here have Flash set to prompt, if not totally disabled, and use NoScript as well?

    • terminalrecluse
    • 4 years ago

    Wait. What? People still use flash?

    • DeadOfKnight
    • 4 years ago

    For a second there I thought we were talking about memory.

    • odizzido
    • 4 years ago

    One thing you really have to thank apple for, flash isn’t nearly as needed as it was before the iphone/pad.

    • sweatshopking
    • 4 years ago

    how’s this for a built in vulnerability? [url<]http://www.neowin.net/news/googles-audio-listening-software-has-been-installed-on-computers-without-permission[/url<]

    • TwoEars
    • 4 years ago

    Good thing I have Norton. It’s sure to protect me.

      • Chrispy_
      • 4 years ago

      But wait, you don’t [b<]ALSO[/b<] have McAfee Security Scan, you could be super dooper ultra protected!!!1

        • TwoEars
        • 4 years ago

        Sure – that’s a part time hobby of mine. I like to install 3-4 different antivirus on the same machine and then let them duke it out.

          • the
          • 4 years ago

          This would be funny if I haven’t seen people actually do this on their own systems.

      • albundy
      • 4 years ago

      it should…it’s been the laughing stock of all AV software for eons.

    • Chrispy_
    • 4 years ago

    Flash.
    Java.

    It’s like discussing the activities of carrion over roadkill. Both are disease-riddled corpses that long ago lost their right to remain installed.

      • mattshwink
      • 4 years ago

      If only it were that easy (at least in the corporate world). We run a lot of Oracle applications (including three that run under Oracle EBS). These require JRE to be installed (and it is difficult to keep up to date, as testing and coordination under our myriad of application teams takes months.

      Flash is hard too, as our training system requires it.

        • brucethemoose
        • 4 years ago

        Thanks to Minecraft and [spoiler<] pornography [/spoiler<], they're just as entrenched in the consumer world. Mojang does have plans to bundle a JRE with Minecraft. Everyone gets the same version, and users don't have to install Java themselves... but the despite the years of development time + millions of dollars in profits, Mojang STILL hasn't done that one simple thing. The [spoiler<] pornography [/spoiler<] industry is built on ancient websites with ad-ridden flash players. Mobile users are pushing them towards HTML5, but the process is slow.

          • I.S.T.
          • 4 years ago

          I was just about to point out the blacked out part of your post. Can’t really forget those people.

        • Flying Fox
        • 4 years ago

        “Java” in this case should mean [i<]Java applets[/i<] that are running in browser, not standalone/server applications written in the language. Since I do need Java-based applications on my system (not browser applets of course), the first thing I do is to disable launching of any applets in JRE configuration.

        • Chrispy_
        • 4 years ago

        I know. We are forced to use stuff that requires Java plugins, Flash Player, and even IE6.

        I wish there were some kind of legal requirement for paid products to use secure APIs. Most of the corporate software stupidity would end if that was the case.

          • just brew it!
          • 4 years ago

          [quote<]secure APIs[/quote<] You might as well have said "unicorns". There's no such thing. The absolute best you can hope for are APIs where all of the KNOWN vulnerabilities (as of a few days/weeks ago) have been patched.

          • Flying Fox
          • 4 years ago

          [quote<]Java plugins, Flash Player, and even IE6[/quote<] Government type establishments? Seems like they are the only ones that are so into the early 2000s.

            • mattshwink
            • 4 years ago

            Depends on the government establishment. But where I am we use IE10 for the browser (Chrome and Firefox are allowed but not officially supported). On the server side we are all RHEL 5 and we are moving to RHEL 6. Most servers are 2008 R2 and we are moving to 2012 R2. We still have some 2003 but that number is <5% total server count, and decreasing.

            The problems with Flash and JRE are that updates/fixes are deployed rapidly. Our app teams cannot keep up that release pace. Getting 2 JRE updates done a year is a miracle (simply because of the number of applications and integration scenarios that need to be tested). Flash is less problematic, as long as the external apps that require it support the version. Still, deploying fixes that rapidly requires effort and coordination in mid-large environments.

      • jessterman21
      • 4 years ago

      Mm yep. Uninstalled both a long time ago – never looked back.

      Mentioned this on DSOGaming and got “lol wut brand of foil do you recommend for a hat, dude?”

      • UnfriendlyFire
      • 4 years ago

      What about websites that rely heavily on Flash or Java, or both at the same time? 😀

      (Bonus if you need to use those websites for university or work)

        • Chrispy_
        • 4 years ago

        Find alternatives!

        Google and Apple have abandoned them. That’s half the battle, these plugins should have been culled long ago and websites will NEVER change unless they are forced. Cutting off traffic by blocking Flash and Java plugins was the right thing for Google and Apple to do, and it’s not like they didn’t give several years of fair warning, and then extend their grace periods.

        Seriously, both Flash and Java browser plugins were obsolete and due for retirement when HTML5 went mainstream.

    • kvndoom
    • 4 years ago

    Oh boy!!! Another opportunity to install McAfee Security Scan!!

      • UnfriendlyFire
      • 4 years ago

      My workplace uses a “professional” version of that.

      There was an incident where a malware infected a few computers, and shut down McAfee On-Access Scanner.

      And disabled McAfee’s update service when the IT department managed to get the AV running again, thus the McAfee OAS was unable to find the malware because its signatures couldn’t be updated.

      Then they installed MalwareBytes (Free) to kill the malware in order to get McAfee AV properly working. 😛

        • GrimDanfango
        • 4 years ago

        [quote<]Then they installed MalwareBytes (Free) to kill the malware in order to get McAfee AV properly working. :P[/quote<] But surely it would work even less properly after MalwareBytes had killed it?

Pin It on Pinterest

Share This