Adobe today released a security bulletin confirming a vulnerability in all versions of its Flash product for Windows, Mac, and Linux. The company says it is aware of reports that an exploit targeting this vulnerability is being used in limited, targeted attacks. Adobe plans to release a patch for Flash “during the week of October 19” to plug the security hole.
The latest Adobe Flash flaw (CVE-2015-7645) was found by security researchers at Trend Micro. The attackers behind operation Pawn Storm, an economic and political cyber-espionage operation that has been targeting a wide range of high-profile entities since 2007, were found to be exploiting the new Flash vulnerability in their latest campaign.
Trend Micro explains:
In this most recent campaign, Pawn Storm targeted several foreign affairs ministries from around the globe. The targets received spear phishing e-mails that contained links leading to the exploit. The emails and URLs were crafted to appear like they lead to information about current events, with the email subjects containing the following topics:
From VentureBeatYour marketing strategy called. It needs a better mobile game plan. Free webinar will tell you how.
“Suicide car bomb targets NATO troop convoy Kabul”
“Syrian troops make gains as Putin defends air strikes”
“Israel launches airstrikes on targets in Gaza”
“Russia warns of response to reported US nuke buildup in Turkey, Europe”
“US military reports 75 US-trained rebels return Syria”
It’s worth noting that the URLs hosting the new Flash zero-day exploit are similar to the URLs seen in attacks that targeted North Atlantic Treaty Organization (NATO) members and the White House in April this year.
Trend Micro reached out to Adobe, which in turn confirmed that successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. The company also established that all Flash versions are affected:
- Adobe Flash Player 19.0.0.207 and earlier versions for Windows and Macintosh
- Adobe Flash Player Extended Support Release version 18.0.0.252 and earlier 18.x versions
- Adobe Flash Player 11.2.202.535 and earlier 11.x versions for Linux
Just yesterday, Adobe rolled out its monthly security patches, including for Flash. That, unfortunately, wasn’t enough, and once again Flash users will need to patch next week.
Given the number of Adobe Flash vulnerabilities that are discovered and exploited on a regular basis, we recommend uninstalling the software and seeing if you can live without it. Most of the Web is moving away from Flash and towards HTML5 anyway.
That said, we will update you when a patch is available.
More information:
Powered by VBProfiles
Aucun commentaire:
Enregistrer un commentaire