Adobe confirms Flash vulnerability found via Hacking Team leak, issues patch for Windows, Mac, and Linux (Updated)

Adobe today released a security bulletin confirming a vulnerability in all versions of its Flash product for Windows, Mac, and Linux. The company says it is aware of reports that an exploit targeting this vulnerability has been publicly published, and it plans to release a patch on July 8, 2015.

The unpatched Adobe Flash security hole (CVE-2015-5119) was found by security researchers looking through the data leaked from Hacking Team, an Italian company renowned for providing surveillance software that helps governments hack digital devices and snoop on citizens’ online activities. The leak (400GB of emails, source code, client lists, invoices, server backups, and so on) occurred after Hacking Team was itself hacked earlier this week.

Adobe did not say that the vulnerability is being exploited in the wild. The company did admit, however, that successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe confirmed the following versions are affected:

• Adobe Flash Player 18.0.0.194 and earlier versions for Windows and Macintosh
• Adobe Flash Player Extended Support Release version 13.0.0.296 and earlier 13.x versions for Windows and Macintosh
• Adobe Flash Player 11.2.202.468 and earlier 11.x versions for Linux

Of course, this would never have been a problem if Hacking Team had disclosed the vulnerability to Adobe. But the company’s business depends on keeping vulnerabilities it finds secret.

Earlier today, security firm Symantec confirmed the vulnerability by replicating the proof-of-concept exploit on the most recent, fully patched version of Adobe Flash (18.0.0.194). Competitor Trend Micro, which also detailed the discovery, notes that the Flash exploit was described by Hacking Team as “the most beautiful Flash bug for the last four years.”

Given the number of Adobe Flash vulnerabilities that are discovered and exploited on a regular basis, we recommend uninstalling the software and seeing if you can live without it. Most of the Web is moving away from Flash and towards HTML5 anyway.

That said, we will update you when a patch is available.

Update on July 8: As planned, Adobe today released a new version of Flash that addresses the vulnerability.

The patch is available for Windows, Mac, and Linux users:

• Users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh should update to Adobe Flash Player 18.0.0.203 by visiting the Adobe Flash Player Download Center or via the update mechanism within the product when prompted.
• Users of the Adobe Flash Player Extended Support Release should update to version 13.0.0.302 by visiting http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html.
• Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.481 by visiting the Adobe Flash Player Download Center.
• Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 18.0.0.203 on Windows and Macintosh, and Flash Player 18.0.0.204 on Linux.
• Adobe Flash Player installed with Internet Explorer for Windows 8.x will be automatically updated to the latest version, which will include Adobe Flash Player 18.0.0.203.

To check the version of Adobe Flash Player you have installed, access the About Flash Player page, or right-click on content running in Flash Player and select “About Adobe (or Macromedia) Flash Player” from the menu. You should do this for each browser you have installed on your system.