The fun never ends with Adobe Flash.
Just one day after Adobe released its monthly security patches for various software including Flash Player, the company confirmed a major security vulnerability that affects all versions of Flash for Windows, Mac and Linux computers. You read that correctly… all versions. Adobe said it has been made aware that this vulnerability is being used by hackers to attack users, though it says the attacks are limited and targeted. Using the exploit, an attacker can crash a target PC or even take complete control of the computer.
And now for the fun part: The only way to effectively protect yourself against this serious security hole is to completely uninstall Flash Player from your machine.
“A critical vulnerability (CVE-2015-7645) has been identified in Adobe Flash Player 18.104.22.168 and earlier versions for Windows, Macintosh and Linux,” Adobe wrote in a security bulletin posted to its website. “Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.”
The company went on to state that it “hopes” to make an update available sometime next week to address the critical security hole, though it’s currently unclear exactly when it plans to release the fix. It’s also not clear if all versions of Flash Player will be patched across all platforms.
This new Flash vulnerability was first discovered by security researchers at Trend Micro, which wrote about the bug in a recent blog post.
“Trend Micro researchers have discovered that the attackers behind Pawn Storm are using a new Adobe Flash zero-day exploit in their latest campaign,” Trend Micro wrote. “Pawn Storm is a long-running cyber-espionage campaign known for its high-profile targets and usage of the first Java zero-day we’ve seen in the last couple of years.”
More from the security firm’s post:
In this most recent campaign, Pawn Storm targeted several foreign affairs ministries from around the globe. The targets received spear phishing e-mails that contained links leading to the exploit. The emails and URLs were crafted to appear like they lead to information about current events, with the email subjects containing the following topics:
“Suicide car bomb targets NATO troop convoy Kabul”
“Syrian troops make gains as Putin defends air strikes”
“Israel launches airstrikes on targets in Gaza”
“Russia warns of response to reported US nuke buildup in Turkey, Europe”
“US military reports 75 US-trained rebels return Syria”
It’s worth noting that the URLs hosting the new Flash zero-day exploit are similar to the URLs seen in attacks that targeted North Atlantic Treaty Organization (NATO) members and the White House in April this year.
Again, every version of Flash Player on Windows, Mac and Linux is affected. And until fixes are released by Adobe, the only way to protect your computer is to completely uninstall Flash. While known attacks that utilize this exploit indeed appear to be very targeted, there’s simply no way to tell if the security hole is being used more widely by hackers.
UPDATE: In light of the severity of this vulnerability, Adobe on Friday rushed out a patch well ahead of schedule. Visit this post for details on how to secure your system.