NEWS FROM THE LAB - Tuesday, January 27, 2015

Low Hanging Fruit: Flash Player Posted by Sean @ 17:13 GMT

Flash Player version is now available.

Flash Player Versions

In Windows, you can check what version you have installed via Flash's Control Panel applet.

Settings Manager, Flash Player

According to Adobe Security Bulletin APSA15-01, users who have enabled auto-update will have received the update starting on January 24th. Manual downloaders needed to wait a couple of days.

Adobe Bulletin CVE-2015-0311

We're not exactly sure why manual downloads were delayed, but whatever the reason, auto-updates are recommended.

And not only that, but more. At this point, we recommend enabling "click-to-play" options. Here's an example from Firefox with the "Ask to Activate" configured.

Firefox, Flash, Ask to Activate

Google Chrome also offers options in its "advanced" settings.

Why do we recommend click-to-play? Because Flash Player is currently the application most aggressively targeted by exploit kits.

Here are some stats from last week from which you can see that Angler, which was targeting a Flash Player 0-Day vulnerability, was leading the exploit kit market.


Exploit Kits, January 2015 FI


Exploit Kits, January 2015 DE

United Kingdom:

Exploit Kits, January 2015 UK

And Angler was number one in several other regions as well.

So, update your Flash Player, set it to auto-update, and configure click-to-play.

Updated to add on February 2nd:

There's another zero-day Flash Player vulnerability in-the-wild that's being actively exploited. Adobe has issued a security advisory and yet another update is in the works this week.

Meanwhile, seriously, consider click-to-play options! Here's how via How-To Geek. (A hat tip to @Bart for the link.)