Security Warning: Patch for
Adobe Flash Player Vulnerability Being Exploited in The Wild
released a so called "out of band" patch for Flash Player to remove a
vulnerability that is being actively exploited in the wild via large
scale, targeted attacks against specific industries. Google
Chrome browser and Windows 8 and later include Flash Player
built-in. They will need to be updated separately.
Our Managed Care customers have been patched with an emergency deployment.
recommends that Adobe Flash Player users update to the latest version
as soon as possible. That includes installing a patch for Google
Chrome and Windows 8 or later, if appropriate.
Warning: Vulnerability is being
actively exploited on the Internet.
(A "warning" alert is for a situation that is currently occurring or
conditions are right for the situation to occur soon.)
Severity: High. An exploit could potentially allow an attacker to take control of the affected system.
Because Flash is ubiquitous, we will likely see many other attacks over the coming months that will
attempt to exploit this vulnerability.
The Adobe Flash
Player browser plug-in is available for multiple web browsers and operating
systems, any of which could be affected.
- Adobe Flash Player 126.96.36.199 and earlier versions for Windows and Macintosh are affected.
- Adobe Flash Player Extended Support Release version 188.8.131.522 and earlier 13.x versions for Windows and Macintosh
- Adobe Flash Player 184.108.40.2066 and earlier 11.x versions for Linux
CVE number: CVE-2015-3113
How Are Systems Compromised?
The current exploit is using in a phishing campaign. The
attackers’ emails included links to compromised web servers that served
either benign content or a malicious Adobe Flash Player file that
Do I Protect My Computer
If you’re unsure whether you have Flash Player installed or what version you are running, browse to the Adobe Flash Player about page, which will show whether Flash Player is installed or not and the version if it is installed.Enabling
Automatic Updates in Windows will not get the patch for Flash Player
(non-Microsoft products) for systems running Windows 7 or earlier or
most alternate browsers. You can configure Flash Player for auto-update
notification, but it might check only once every 30 days (plenty of
time to get exploited) and, even with that notification, you might have
to take manual action (such as clicking the notification in the sys
tray) to install the update.
Install the latest version of Flash Player (220.127.116.11) from
Beware of potentially unwanted software add-ons, like McAfee Security
Scan or browser bars, and uncheck the pre-checked box(es) to avoid installing the
potentially unwanted software. (A licensed download intended for
enterprise deployments is available that does not include any add-on software.)
you use a browser other than Internet Explorer (IE) or Chrome, you
might need to install an edition of this patch twice, one edition
for IE and another edition for alternative browsers (Firefox,
If you are running Windows 8 or later, Windows RT,
or Windows Server 2012 or later and you have Windows Automatic Update
enabled, the required patch should automatically be installed.
Otherwise install patch Microsoft Security Update for Internet Explorer Flash Player (KB3074219).
force the installation of an available update in Chrome, click the
triple bar icon to the right of the address bar, select “About Google
Chrome”, click the apply update button, and restart the browser.
Adobe Security Advisory: https://helpx.adobe.com/security/products/flash-player/apsb15-14.htmll
Adobe Product Security Incident Response Team:
Kerbs on Security blog:
IT Professional Services deployed the Flash Player update at all of our customers of Managed Care. Managed Care customers are protected from this vulnerability.
If you need assistance installing protection from
this vulnerability or a security assessment, IT Professional Services
can help. Call our
out more about our managed care service.
To find out how vulnerable your network is
schedule a free network security analysis today.
We at IT Professional Services (ITPS)
hope that the information in this blog is valuable to you. ITPS
believes the information provided herein is reliable. While care has
been taken to ensure accuracy, your use of the information contained in
this bulletin is at your sole risk. All information in this bulletin is
provided "as-is", without any warranty, whether express or implied, of
its accuracy, completeness, fitness for a particular purpose, title or
non-infringement, and none of the third-party products or information
mentioned in the bulletin are authored, recommended, supported or
guaranteed by ITPS. ITPS shall not be liable for any damages you may
sustain by using this information, whether direct, indirect, special,
incidental or consequential, even if it has been advised of the
possibility of such damages.