A New Zero-Day Affects All Versions of Flash

Adobe has released a new security advisory stating a fix is due for a vulnerability deemed critical by most researchers. The vulnerability affects all versions of Adobe’s Flash player and comes just a day after Adobe’s monthly security update.

A new vulnerability discovered by researchers at a cybersecurity firm has been found to leave every version of Flash vulnerable in its wake. This affects the Flash Player in Windows, Macintosh as well as Linux operating systems.

A successful exploit could potentially result in a crash of the operating system before it gets substantially worse, granting the attacker complete control of the targeted system.

Adobe released an advisory addressing the vulnerability:

Adobe is aware of a report that an exploit for this vulnerability is being used in limited, targeted attacks.

Trend Micro, the security company that discovered the vulnerability noted that a cyberespionage group called Pawn Storm is actively launching phishing attacks against a number of governments in countries across Asia, Europe, the Middle East along with targeting the U.S. media, the White House, and other NATO organizations.

Related Article: Google’s Chrome Strikes Another Blow Against Flash

Additionally, malicious and fake Outlook Web Access (OWA) servers have been spotted recently in the wild, targeting several foreign affairs ministries that are taking the brunt of credential phishing attacks that have proven to be extremely effective.

One establishment of the Ministry of Foreign Affairs from a particular country had a complete compromise of incoming emails, leading to fears that Pawn Storm may have been snooping in on the victim’s emails over a longer period of time.

As it stands, users running the latest version of Flash are still vulnerable to the attack and can be compromised by simply browsing the internet.

Affected software versions include:

  • Adobe Flash Player and all earlier versions that are available for Windows and Macintosh
  • Adobe Flash Player Extended Support Release version as well as earlier 18.x versions.
  • Adobe Flash Player and all earlier 11.x versions that are available for Linux.

Due to the high-profile of the vulnerability, Adobe has seemingly ramped up its patching schedule and has released an update on its advisory to note that the patch could be made available as early as October 16.