Adobe today released a security bulletin confirming a vulnerability in all versions of its Flash product for Windows, Mac, and Linux. The company says it is aware of reports that an exploit targeting this vulnerability is being used in limited, targeted attacks. Adobe plans to release a patch for Flash “during the week of October 19” to plug the security hole.
Update: A patch is now available. See below for details.
The latest Adobe Flash flaw (CVE-2015-7645) was found by security researchers at Trend Micro. The attackers behind operation Pawn Storm, an economic and political cyber-espionage operation that has been targeting a wide range of high-profile entities since 2007, were found to be exploiting the new Flash vulnerability in their latest campaign.
Trend Micro explains:
In this most recent campaign, Pawn Storm targeted several foreign affairs ministries from around the globe. The targets received spear phishing e-mails that contained links leading to the exploit. The emails and URLs were crafted to appear like they lead to information about current events, with the email subjects containing the following topics:
“Suicide car bomb targets NATO troop convoy Kabul”
“Syrian troops make gains as Putin defends air strikes”
“Israel launches airstrikes on targets in Gaza”
“Russia warns of response to reported US nuke buildup in Turkey, Europe”
“US military reports 75 US-trained rebels return Syria”
It’s worth noting that the URLs hosting the new Flash zero-day exploit are similar to the URLs seen in attacks that targeted North Atlantic Treaty Organization (NATO) members and the White House in April this year.
Trend Micro reached out to Adobe, which in turn confirmed that successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. The company also established that all Flash versions are affected:
- Adobe Flash Player 220.127.116.11 and earlier versions for Windows and Macintosh
- Adobe Flash Player Extended Support Release version 18.104.22.168 and earlier 18.x versions
- Adobe Flash Player 22.214.171.1245 and earlier 11.x versions for Linux
Just yesterday, Adobe rolled out its monthly security patches, including for Flash. That, unfortunately, wasn’t enough, and once again Flash users will need to patch next week.
Given the number of Adobe Flash vulnerabilities that are discovered and exploited on a regular basis, we recommend uninstalling the software and seeing if you can live without it. Most of the Web is moving away from Flash and towards HTML5 anyway.
That said, we will update you when a patch is available.
- Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh update to Adobe Flash Player 126.96.36.199 by visiting the Adobe Flash Player Download Center or via the update mechanism within the product when prompted.
- Adobe recommends users of the Adobe Flash Player Extended Support Release update to version 188.8.131.52 by visiting http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html.
- Adobe recommends users of the Adobe Flash Player for Linux update to Adobe Flash Player 184.108.40.2060 by visiting the Adobe Flash Player Download Center.
- Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 220.127.116.11 on Windows, Macintosh and Linux, and 18.104.22.168 on Chrome OS.
- Adobe Flash Player installed with Microsoft Edge for Windows 10 will be automatically updated to the latest version, which will include Adobe Flash Player 22.214.171.124.
- Adobe Flash Player installed with Internet Explorer 10 and 11 for Windows 8.0 and 8.1 will be automatically updated to the latest version, which will include Adobe Flash Player 126.96.36.199.
Unless you really need Flash, we still recommend that you uninstall it.