April 8th, 2016
What's the issue?
In a security advisory Adobe issued on April 5th, 2016, Adobe explained that a critical vulnerability (CVE-2016-1019) exists in Adobe Flash Player 184.108.40.206 and earlier versions that could lead to crashes and unauthorized takeover of affected systems.
Adobe did not go into detail about the vulnerability, but reports that it is "being actively exploited on systems running Windows 10 and earlier with Flash Player version 220.127.116.116 and earlier." Although this vulnerability has only been reported on Windows OS, systems running Macintosh, Linux and Chrome OS with vulnerable versions of Flash Player are also at risk.
How are cybercriminals using this exploit?
PC World is reporting that the vulnerabilities in Flash Players have 24 critical vulnerabilities, 22 of which "can result in remote code execution on users' computers, one can lead to a security feature bypass and one can be used to bypass the memory layout randomization mitigation that's supposed to make exploitation harder in general."
Cybercriminals are using these flaws as an opportunity to exploit users with ransomware through web-based attacks.
Proofpoint, an email security vendor, reports that one of their customers received a malicious email with a document containing a macro that would redirect them to an exploit kit. The exploit kit is a software that is embedded onto web servers with the intent to search and install malware on systems with vulnerable software patches.
In this case, Flash Player is the vulnerable software and the malware used is ransomware.
What should I do?
Check the version of your Adobe Flash Player here, it will indicate if your Flash Player is out of date. If your Adobe Flash Player is out of date update your version to 18.104.22.168 or later, which are patched to protect from exploitation of this vulnerability. The most current version is 22.214.171.124. The version you require may depend on the browser that you use. Note when installing the update to uncheck the Optional offers.
Note to NPC Customers
All NPC DataGuard Pro systems have download updates automated, however, if you wish to re-assure yourself follow the steps above to check your Adobe Flash Player version.
If you have any questions or concerns, do not hesitate to call the support centre at 1-855-667-2642 or email firstname.lastname@example.org.