The last days have been moved for the Adobe team, two 0-day vulnerabilities have been discovered in Flash Player, one of them fixed (CVE-2015-0310) with the latest version of the plugin but the other not yet.
Cyber criminals are already exploiting them in the Wild, that is, they are already taking advantage of the failures to infect computers.
The least you should do to protect your computer is to update Adobe Flash Player to the latest available version, either on Windows, Linux or Mac. From here you can quickly check the version you have installed and the latest version available. In Chrome it updates automatically, as in Internet Explorer under Windows 8, ideally you should check the versions anyway and make sure you have updated browsers.
For added protection, I like to use the NoScript plugin in Firefox and allow Flash to run only when I allow it.
In Chrome you can activate something similar from the configuration options, accessing chrome: // settings / content (without the quotes) and then in Plugins checking the option Click to play:
This way every time a page tries to play a Flash element, instead of the animation or the video you will see a gray box on which you must click if you want to play it.
Although for greater security, it is recommended to activate the option that follows Block by default since the click to play option is susceptible to click-jacking attacks It also does not work if you load the .swf file directly into the browser.
The vulnerabilities in these browser plugins are dangerous because can allow automatic infection or drive-by download in which a Trojan can sneak into the system by simply visiting an infected page or manipulated by attackers.
They generally use programs called exploit kits that bombard the victim's machine for vulnerabilities until one allows them to enter. The serious thing about 0-days is that they are vulnerabilities that affect the latest versions of the programs, which is why even keeping everything updated is at risk until the manufacturer detects the failure and launches a patch to fix it.
0-days are generally used in targeted attacks and are not commonly used in large-scale campaigns at first. But once they come to light, they begin to circulate in the black market of exploits and until the manufacturer does not fix the vulnerability, they are used in a massive way and that is when they become more dangerous for the common user.
Vulnerabilities in Flash are not uncommon and in fact are becoming increasingly common, to the point that Java has been stripped of its first place as the most vulnerable plugin. As they comment on the Malwarebytes blog.
Java is one of those plugins that if they are not used regularly, it is better not to have it. The following two articles are clear examples of how dangerous it can be to have an outdated Java version installed:
– BlackHat SEO + Java vulnerable = hidden Trojan download – Can I be infected in a hidden way by means of a link?
In the first, a simple search for images in Google ends with the installation of a Trojan and in the second, I show in a video how a user can infect another through a link shared by chat. In both cases, the use of antivirus can help stop attacks, but there are ways to evade them, so if the user is not careful about what they do, sooner or later they can be surprised.
Then I leave the video again in case you are interested in seeing it:
Stay tuned for Flash updates:
For this last week of January a new update is expected that will solve the 0-day still active (see Adobe PSIRT blog). So stay tuned and check here if the installed version is the latest.