News today, Brian Krebs reports of a new Adobe Flash zero-day and its associated critical patch. According to Krebs, Adobe claims the exploit (CVE-2015-3113) is already being used in targeted attacks, so security teams should be on high alert.
Adobe has published a security bulletin that indicates systems running Internet Explorer on Windows 7 are known targets. Systems running Firefox on Windows XP are also vulnerable. Adobe has categorized the patch for this exploit with the highest priority ranking.
Brian Krebs has provided a helpful link to check if your system is running Adobe Flash, which may be found here: https://www.adobe.com/software/flash/about/
Krebs also notes:
“In lieu of patching Flash Player yet again, it might be worth considering whether you really need to keep Flash Player installed at all.”
Bromium Director of Product Marketing Bill Gardner notes:
“This reinforces that well known browser plugins often have unknown vulnerabilities. We could generally expect to get dozens of these in any given year.”
This Adobe Flash zero-day illustrates why Internet content is so untrustworthy: attacks can be committed through the browser, through scripting languages and even through extensions. It’s a greenfield for hackers with no end in sight if the status quo for protection doesn’t change.
Now that the exploit has been discovered, most security and operations teams are scrambling to do one of two things – race to deploy the newest patch before hackers can leverage the exploit for an attack. Or test the patch to make sure it integrates with legacy systems.
Of course, the third option is to deploy threat isolation security solutions. This latest zero-day and others like it can be secured by isolating the browser in a micro-VM (such as Bromium vSentry). By isolating the threat, security and ops teams granted the grace period needed to test and deploy these critical patches.