Adobe has rolled out a mammoth security update for Flash, Reader, and Acrobat, but be prepared for another emergency update next week to fix the new zero-day vulnerability.
Adobe released 69 security patches as part of its regularly scheduled update cycle on Tuesday fixing multiple vulnerabilities in Flash, Reader, and Acrobat. In that update, Adobe fixed 13 Flash flaws that could lead to information disclosure and remote code execution. While these updates should be applied immediately, administrators should remain on guard because attackers are currently exploiting a zero-day vulnerability affecting all versions of Flash Player, even the latest one.
Adobe has the proof of concept for the vulnerability and promised an emergency update next week.
"Adobe is aware of a report that an exploit for this vulnerability is being used in limited, targeted attacks. Adobe expects to make an update available during the week of October 19," the company said in its advisory.
Researchers uncovered the zero-day Flash exploit in the latest Pawn Storm cyber espionage campaign, Trend Micro researchers Brooks Li, Feike Hacquebord, and Peter Pi wrote in a blog post. The spear phishing emails contained links leading to the exploit and targeted several Ministries of Foreign Affairs around the world. The subject lines referenced current events, such as the ongoing Syrian crisis, troop movements in Turkey and Afghanistan, and Israeli airstrikes on Gaza. Considering that recipients were foreign ministry employees, the subject lines were carefully crafted to trick the recipients into clicking the links and trigger the exploit.
The URLs hosting the new Flash zero-day exploit are similar to the URLs seen in attacks that targeted North Atlantic Treaty Organization members and the White House in April.
Pawn Storm regularly relies on zero-day exploits to spy on high-profile targets such as government departments around the world, defense industry organizations, military, and international organizations such as the North Atlantic Treaty Organization. Past attacks have used zero-days in Flash, the Windows operating system, and Java. The group is also known by other names, including APT28, Sednit, Fancy Bear, Sofacy, and Tsar Team. Some researchers believe it has links to the Russian government, but accurate attribution is still a challenge.
“Foreign affairs ministries have become a particular focus of interest for Pawn Storm recently,” the researchers said.
Pawn Storm infected iOS devices of several Western governments and media organizations to steal sensitive information earlier this year. Pawn Storm also set up fake Outlook Web Access servers for various ministries in order to steal credentials from foreign ministry employees. In addition, the group compromised the DNS settings for one ministry’s incoming mail, allowing it to intercept incoming email for “an extended period of time in 2015,” the researchers said.
Flash is used by 9.9 percent of all websites, according to statistics collected by W3Techs, and is an ongoing security headache for administrators. Adobe fixes the flaws promptly, but attackers and researchers continue to find vulnerabilities by the dozens each month.
Though Pawn Storm is using the exploit to target foreign ministries, the exploit will likely find its way into other crimeware kits and be used in other attacks. Malvertising attacks frequently target Flash, for example.
While Adobe expects to release a patch next week, users are once again encouraged to disable Flash in their browsers until then. Another option is to enable Click-to-Play for Flash in Chrome and other browsers that support this feature.