“Adobe is aware of a report that CVE-2015-5119 is being actively exploited in the wild,” said Adobe. As noted by Lucian Constantin over at PCWorld, cybercriminals began using the exploit just a day after it was leaked from a surveillance software developer. Constantin wrote:
The exploit was found by security researchers yesterday among the 400GB worth of files stolen recently from Hacking Team, an Italian company that develops and sells intrusion and surveillance software to government agencies.
Similarly, it took just one extra day for Adobe Systems to patch the vulnerability with today’s release of Adobe Flash Player 18.0.0.203 for Mac and Windows.
Cybercriminals use Exploit Kits to attack known vulnerabilities in browser plug-ins, such as Flash Player and other Adobe software, and install malware on a victim’s computer. “These attacks are typically launched from compromised websites or through malicious advertisements,” warned Constantin.
If you’re not sure whether a popup alert claiming to be from Adobe is real or fake, take a look at our handy security tips on how to safely install and update Adobe Flash.
Affected software versions — which are out of date and vulnerable to attack — include the following:
Adobe’s security bulletin describes the vulnerabilities patched in these updates as follows:
Adobe Flash users running Mac OS X and Windows computers should update to Adobe Flash Player 18.0.0.203 (15.6 MB) immediately to avoid potential attacks. Linux users should update to Flash Player 11.2.202.481.
Flash Player for Google Chrome and Internet Explorer will be automatically updated to the latest version, and includes the security fixes mentioned here.