The recent hacking and subsequent leak of more than 400GBs of data from the 'Hacking Team', which is known for working with governments worldwide, has turned up several major pieces of information both on the good and bad side. One little piece that the team was sitting on was a previously unknown, un-patched Flash zero day exploit which could allow attackers to remotely execute code on a targeted computer.
According to security researchers it has taken less than a day for the new exploit to spread throughout the hacking community and be put in to use. By Tuesday afternoon, the critical flaw was added to several major commercially available exploit kits and was being targeted in the wild by an array of malware titles.
Adobe Systems has already confirmed the vulnerability, which received the identifier CVE-2015-5119 and is active in Flash versions 184.108.40.206 and earlier. Fortunately Adobe has worked quickly to get an update together that should mitigate any threat.
Adobe came out today with the APSB15-16 security bulletin and update providing patches for 36 security vulnerabilities in Adobe Flash Player, including this latest threat. The update should be currently available for all users of Flash on Windows, Mac OS X, and Linux systems. Adobe has credited Google's Project Zero and Morgan Marquis-Boire, director of security, First Look Media, for reporting the critical bug and working to protect Flash users.
If for some reason the Adobe update is not available for you, or you can install it users are advised to enable the click-to-play feature in browsers that support it, like Google Chrome and Mozilla Firefox, or to disable the Flash Player plug-in in their browser.