Adobe Flash vulnerability widely exploited

An Adobe Flash vulnerability, which was discovered in conjunction with a data break-in involving the company Hacking Team, has been added into software used for attacks. The vulnerability has also been used in targeted attacks. The Flash plug-in intended for workstations' browser software should be updated without delay.

The Adobe Flash vulnerability, which was made public in conjunction with the Hacking Team data break-in on Sunday 5 July, has been exploited immediately in tools used in information network attacks. A code exploiting the vulnerability has been added, at least, into the well-known Angler Exploit Kit attack software and into the Metasploit penetration testing tool. According to information presented in the media, the vulnerability has already been exploited in targeted attack campaigns, too.

Updated on 12 July 2015:

Two other Adobe Flash zero-day vulnerabilities have also been discovered in the leaked HackingTeam material. A code exploiting one of these vulnerabilities has been added into the Angler Exploit Kit attack software and into the Metasploit penetration testing tool.

Target group of the alert

  • Administrators and users of computers
  • Persons responsible for organisations' information management and information security

Possible solutions and restrictive measures

The Flash plug-in of browser software used in computers should be updated immediately.

Updated on 12 July 2015:

In order to protect from unpatched vulnerabilities, it is possible to enable the Click to Play feature of the Flash plug-in by changing the settings of the browser software. With regard to information security, enabling of Click to Play is also generally recommended. More information on the measure is available in FICORA Advisories 54/2015 and 59/2015.

Updated on 14 July 2015:

Adobe has published a repaired version of Flash Player. An update for the Linux version has not yet been published.

Updated on 17 July 2015:

Adobe has published a patch also for the Linux version.

Further information

Update history


Key words: Information security, Data break-in, Malware, Phishing, Targeted attack, Alerts


LinkedIn Print