Adobe promises new Flash Player update to plug zero-day bug

The latest zero-day vulnerability in Flash Player is currently under attack by Pawn Storm. Sit tight for an emergency patch next week

Adobe has rolled out a mammoth security update for Flash, Reader, and Acrobat, but be prepared for another emergency update next week to fix the new zero-day vulnerability.

Adobe released 69 security patches as part of its regularly scheduled update cycle on Tuesday fixing multiple vulnerabilities in Flash, Reader, and Acrobat. In that update, Adobe fixed 13 Flash flaws that could lead to information disclosure and remote code execution. While these updates should be applied immediately, administrators should remain on guard because attackers are currently exploiting a zero-day vulnerability affecting all versions of Flash Player, even the latest one.

Adobe has the proof of concept for the vulnerability and promised an emergency update next week. 

"Adobe is aware of a report that an exploit for this vulnerability is being used in limited, targeted attacks. Adobe expects to make an update available during the week of October 19," the company said in its advisory.

Researchers uncovered the zero-day Flash exploit in the latest Pawn Storm cyber espionage campaign, Trend Micro researchers Brooks Li, Feike Hacquebord, and Peter Pi wrote in a blog post. The spear phishing emails contained links leading to the exploit and targeted several Ministries of Foreign Affairs around the world. The subject lines referenced current events, such as the ongoing Syrian crisis, troop movements in Turkey and Afghanistan, and Israeli airstrikes on Gaza. Considering that recipients were foreign ministry employees, the subject lines were carefully crafted to trick the recipients into clicking the links and trigger the exploit.

The URLs hosting the new Flash zero-day exploit are similar to the URLs seen in attacks that targeted North Atlantic Treaty Organization members and the White House in April.

Pawn Storm regularly relies on zero-day exploits to spy on high-profile targets such as government departments around the world, defense industry organizations, military, and international organizations such as the North Atlantic Treaty Organization. Past attacks have used zero-days in Flash, the Windows operating system, and Java. The group is also known by other names, including APT28, Sednit, Fancy Bear, Sofacy, and Tsar Team. Some researchers believe it has links to the Russian government, but accurate attribution is still a challenge.

“Foreign affairs ministries have become a particular focus of interest for Pawn Storm recently,” the researchers said.

Pawn Storm infected iOS devices of several Western governments and media organizations to steal sensitive information earlier this year. Pawn Storm also set up fake Outlook Web Access servers for various ministries in order to steal credentials from foreign ministry employees. In addition, the group compromised the DNS settings for one ministry’s incoming mail, allowing it to intercept incoming email for “an extended period of time in 2015,” the researchers said.

Flash is used by 9.9 percent of all websites, according to statistics collected by W3Techs, and is an ongoing security headache for administrators. Adobe fixes the flaws promptly, but attackers and researchers continue to find vulnerabilities by the dozens each month.

Though Pawn Storm is using the exploit to target foreign ministries, the exploit will likely find its way into other crimeware kits and be used in other attacks. Malvertising attacks frequently target Flash, for example.

While Adobe expects to release a patch next week, users are once again encouraged to disable Flash in their browsers until then. Another option is to enable Click-to-Play for Flash in Chrome and other browsers that support this feature.

Join the CSO newsletter!

Error: Please check your email address.

More about AtlanticBrooksClickTrend Micro

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Fahmida Y. Rashid

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts