July 13, 2015

For the third time in a week, researchers have discovered a zero-day vulnerability in Adobe’s Flash Player browser plugin. Like the previous two discoveries, this one came to light only after hackers dumped online huge troves of documents stolen from Hacking Team — an Italian security firm that sells software exploits to governments around the world.

News of the latest Flash flaw comes from Trend Micro, which said it reported the bug (CVE-2015-5123) to Adobe’s Security Team. Adobe confirmed that it is working on a patch for the two outstanding zero-day vulnerabilities exposed in the Hacking Team breach.

We are likely to continue to see additional Flash zero day bugs surface as a result of this breach. Instead of waiting for Adobe to fix yet another flaw in Flash, please consider removing or at least hobbling this program.


Google Chrome comes with its own version of Flash pre-installed, but disabling it is easy enough. On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”).

Windows users can remove Flash from non-Chrome browsers from the Add/Remove Programs panel, and/or using this Flash Removal Tool. Note that you must exit out of all Web browsers before running the tool. To verify that Flash has been removed, visit this page; if it says your browser needs Flash, you’ve successfully removed it.

For Mac users, AppleInsider carries a story today that has solid instructions for nixing the program from OS X once and for all.

“Flash has become such an information security nightmare that Facebook’s Chief Security Officer called on Adobe to sunset the platform as soon as possible and ask browser vendors to forcibly kill it off,” AppleInsider’s Shane Cole writes. “Though most exploits are targeted at Windows, Mac users are not invincible.”

I removed Flash entirely more than a month ago and haven’t missed the program one bit. Unfortunately, some sites — including many government Web sites  — may prompt users to install Flash in order to view certain content. Perhaps it’s time for a petition to remove Flash Player from U.S. Government Web sites altogether? If you agree, make your voice heard here.  For more on spreading the word about Flash, see the campaign at OccupyFlash.org.

If you decide that removing Flash altogether or disabling it until needed is impractical, there are in-between solutions. Script-blocking applications like Noscript and ScriptSafe are useful in blocking Flash content, but script blockers can be challenging for many users to handle.

Another approach is click-to-play, which is a feature available for most browsers (except IE, sadly) that blocks Flash content from loading by default, replacing the content on Web sites with a blank box. With click-to-play, users who wish to view the blocked content need only click the boxes to enable Flash content inside of them (click-to-play also blocks Java applets from loading by default).

Windows users who decide to keep Flash installed and/or enabled also should take full advantage of the Enhanced Mitigation Experience Toolkit (EMET), a free tool from Microsoft that can help Windows users beef up the security of third-party applications.

77 thoughts on “Third Hacking Team Flash Zero-Day Found

  1. CJD

    I use a FireFox plugin called QuickJava that lets you turn off JavaScript, Java, Flash, Cookies, Images, Animated Images, CSS, and Silverlight by default when yuo open FF (Or any combination of those, I start with JS, Java, Flash, SilverLight off, the rest on) and then gives you a toolbar button to click to turn it on and reload the page. Works fantastic, and doesn’t force you to do away with the plugins altogether.

    Flash is on its way out, but there are cases of needing it. I hate Java, but there are plenty of Java based internal corporate sites I have to use. With QuickJava, I keep it turned off, when I need to use a corporate site that requires it, I load the site, click the “J” icon on my toolbar, java is activated and the page is reloaded. When I am done, I click the “J” icon again, and bye bye Java.

    1. SeymourB

      I used to use QuickJava, then it broke for a while and I ended up just using the multiple browser method, where only one browser has Java installed & available, while my normal browser doesn’t since it’s a more hardened setup.

      Though not foolproof, click-to-play is another option for handling plugins. There’s an extension called click-to-play-per-element for Firefox that requires some about:config changes to work properly, but it handles all plugin types I’ve come across.

    2. Anon

      I use No-Script add-on for FireFox which by default it blocks all scripts on a website. You can allow scripts temporarily or permanently and even revoke if you change your mind.

  2. RBBrittain

    Adobe posted its security bulletin for .209 at https://helpx.adobe.com/security/products/flash-player/apsb15-18.html along with a blog post at http://blogs.adobe.com/conversations/2015/07/resolution-for-recent-flash-player-vulnerabilities.html . It supposedly fixes this vulnerability (CVE-2015-5123) as well as the previous one (CVE-2015-5122); the first of the trifecta was patched in .203. Chrome has updated to .209; at the moment my IE 11 on Win 8.1 hasn’t, but I just now got the Patch Tuesday updates (27 of ’em) so we’ll see.

  3. Old School

    Flash version 18,0,0,209 is available.

    1. Anon

      Has this vulnerability been patched out in this version?

  4. Charles Green

    At least on PCs, Firefox now uses Shumway rather than Adobe Flash. Any word on how secure that is?

  5. Larry The Red

    There’s one thing stopping me from dropping flash: Hulu. As far as I can tell they don’t offer any other formats for their streams.

  6. adsf

    you should update the link for EMET to the current version 5.2. You’re linking to 5.1.

Comments are closed.