Alert! You can now get Cryptolocker just by visiting a Flash-enabled website

by Ed Sparks

The train wreck that is Adobe Flash continues!  As of this writing, it is possible for a website with the right (bad!) Flash content to use a combination of exploit code to infect computers with malware up to and including CryptoLocker (!!) just by visiting the site. No user interaction required.  This is about as bad as it gets, due to the ubiquity of Flash.  Steve Jobs' vendetta against this software was one of the times we fully agreed with him.

 Image from ThreatPost

Image from ThreatPost

As is being widely reported, this is due to a (so far) unpatched flaw in the latest versions of Flash Player on Windows, and newly published exploit code by the "Hacking Team." Apparently - get this - hackers broke into the Hacking Team site and are now publishing their hacks, or something. We need to find these people a hobby, or Adobe needs to hire all of them.  

What can you do?  Update Flash the minute a new version is available, but more substantially it would be useful to start looking at the feasibility of broadly disabling it in your browser, as many sites are now switching primarily to HTML 5 content, and the majority of sites still requiring flash are older or advertising based.

Additionally, Administrators and Users can look at enabling the "Click to Play" functionality in many browsers.

More on the subject:
http://krebsonsecurity.com/2015/07/adobe-to-patch-hacking-teams-flash-zero-day/ 

http://www.engadget.com/2015/07/08/hacking-team-zero-day-flash-exploit/