Adobe Confirms Major Security Flaw In Flash Player For Windows, Mac And Linux
Adobe has confirmed a major security vulnerability that affects all versions of Flash for Windows, Mac and Linux computers. The vulnerability can be used by hackers to crash a target PC or even take complete control of the computer. Adobe claims that so far all attacks using this vulnerability are limited and targeted.
A critical vulnerability (CVE-2015-7645) has been identified in Adobe Flash Player 126.96.36.199 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
According to Adobe, there is no way to circumvent these attacks and the only way to effectively protect yourself is to completely uninstall Flash Player from your machine.
Adobe has updated its security bulletin on their website about this vulnerability and posted that they will release an update by October 16, i.e. today. However, it is also not clear if all versions of Flash Player will be patched across all platforms.
Adobe is aware of a report that an exploit for this vulnerability is being used in limited, targeted attacks.
UPDATE: Adobe expects updates to be available as early as October 16.
This new Flash vulnerability was first discovered by security researchers at Trend Micro, while investigating on the attackers behind Pawn Storm.
Trend Micro researchers have discovered that the attackers behind Pawn Storm are using a new Adobe Flash zero-day exploit in their latest campaign. Pawn Storm is a long-running cyber-espionage campaign known for its high-profile targets and usage of the first Java zero-day we've seen in the last couple of years.
Trend Micro also warns people that any attack using this vulnerability starts with phishing e-mails that contained links leading to the exploit.
In this most recent campaign, Pawn Storm targeted several foreign affairs ministries from around the globe. The targets received spear phishing e-mails that contained links leading to the exploit. The emails and URLs were crafted to appear like they lead to information about current events, with the email subjects containing the following topics:
- Suicide car bomb targets NATO troop convoy Kabul
- Syrian troops make gains as Putin defends air strikes
- Israel launches airstrikes on targets in Gaza
- Russia warns of response to reported US nuke buildup in Turkey, Europe
- US military reports 75 US-trained rebels return Syria
According to Adobe security bulletin the following version of Adobe Flash Player are affected and needs to be updated when the fix is released.
- Adobe Flash Player 188.8.131.52 and earlier versions for Windows and Macintosh
- Adobe Flash Player Extended Support Release version 184.108.40.206 and earlier 18.x versions
- Adobe Flash Player 220.127.116.115 and earlier 11.x versions for Linux
To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select “About Adobe (or Macromedia) Flash Player” from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.
Again, every version of Flash Player on Windows, Mac and Linux is affected. And until fixes are released by Adobe, the only way to protect your computer is to completely uninstall Flash. While known attacks that utilize this exploit indeed appear to be very targeted, there is simply no way to tell if the security hole is being used more widely by hackers.