Adobe Issues Emergency Flash Zero-Day Patch

A serious zero-day flaw in its Flash Player browser plugin had Adobe scrambling to issue a critical patch on Wednesday. The vulnerability that affects both Mac and Windows operating systems allows an attacker to potentially take over a system. Adobe said the bug has already been exploited by hackers in the wild. The vulnerability was first discovered earlier this month by FireEye, a private computer security company. FireEye privately informed Adobe of the exploit. The company’s team in Singapore discovered the flaw thanks to a phishing campaign by the Chinese hacker group APT3, also known as UPS.A Sophisticated ThreatAPT3 had been targeting organizations involved in several critical industries, including aerospace and defense, construction and engineering, high tech, telecommunications, and transportation. FireEye had previously identified APT3 in April of last year, and described the group as one of the most sophisticated threats that it tracks.The hacker group has a history of introducing zero-day exploits into browser plugins using vulnerabilities in software such as Internet Explorer, Firefox, and Flash. After successfully exploiting a target host, APT3 will quickly dump credentials, move laterally to additional hosts, and install custom backdoors. APT3’s command and control infrastructure  is difficult to track, as there is little overlap across campaigns.The hacker group’s latest exploit affects Adobe’s Flash Player Desktop Runtime, Flash Player Extended Support Release, Flash Player for Linux, and Flash Player for Google Chrome, Internet Explorer 10 and 11. The company said users running those products should upgrade to the latest versions immediately. Phishing Expedition, the victims were attacked by phishing e-mails that directed users to click on a URL that took them to a compromised server hosting JavaScript profiling scripts. Victims were then led to download a malicious Flash Player SWF file. Adobe described the attacks witnessed in the wild as “limited” and “targeted.” Systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets for the campaign. Nevertheless, Adobe assigned the update its highest priority rating, indicating that the company considered it a crucial security flaw that users should fix as soon as possible. According to Adobe, users running the Flash Player browser plugin on Google Chrome or Internet Explorer on Windows 8.x systems will have their software automatically updated. Users running Flash Player Desktop Runtime for Windows and Macintosh should update to Adobe Flash Player 18.0.0.194, users of the Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.296, and users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.468.The vulnerability is only the latest to befall the hapless plugin, which has been the victim of a number of exploits in the past. Last year, Kaspersky Labs found that the Syrian government had used another exploit in the software to attack what it considered to be political opponents. Although the Flash Player is widely used, security experts have recommended that users uninstall it due to its numerous security issues.

Source: Adobe Issues Emergency Flash Zero-Day Patch - Network Security on CIO Today