If you are still using Flash, you should know that Adobe just patched a critical vulnerability that could have allowed malicious folks to send ransomware to your computer. This exploit was deemed an issue only on systems running Windows 10. However, Adobe pushed the update to versions of Flash running on all the major operating systems, Windows, Mac OS X, Linux based distributions, and ChromeOS.
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 10 and earlier with Flash Player version 20.0.0.306 and earlier. Please refer to APSA16-01 for details.
Proofpoint, FireEye, and some other researchers investigated how a ransomware, dubbed Cerber, was exploiting this vulnerability. They notified Adobe of the exploit and the company pushed an emergency patch on April 7th, 2016. The ransomware is believed to have been in the wild since at least March 31st, 2016. Sophos has a pretty good explanation on how this exploit works.
The bug allows an attacker to send booby-trapped content to your browser’s Flash plugin in such a way that your browser will not only crash, but also hand over control to the attacker in the process.
The technical name for that sort of exploit is RCE, short for Remote Code Execution, also known as a drive-by download or a drive-by install, so called because you only need to look at a booby-trapped page to get infected.
Users have been advised to upgrade to this version of Flash immediately, regardless of which operating system they’re using. While the exploit is said to affect only Windows 10 users, it’s safer to upgrade regardless, and even safer to stop using Flash altogether.
