Adobe has announced a new critical security vulnerability (CVE-2015-7645) and it looks ugly. A “successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system” and this time it has already been used for “limited, targeted attacks” exploits as per the report.
The vulnerability affects Linux, Windows and Mac and Adobe is expecting to publish a patch by Oct 19, 2015. However, Adobe’s love for Linux is widely known and there is no information on whether a patch will be available for Linux. As you might be aware, Adobe has discontinued active development and support for Linux for a while.
Following versions are affected:
- Adobe Flash Player 22.214.171.124 and earlier versions for Windows and Macintosh
- Adobe Flash Player Extended Support Release version 126.96.36.199 and earlier 18.x versions
- Adobe Flash Player 188.8.131.525 and earlier 11.x versions for Linux
The firm that exposed the vulnerability, Trend Micro, gave more details on the vulnerability adn how it has been used for operation Pawn Storm. In this attack phishing emails were sent targeting organizations and government institutions such as NATO and the White House, and high-profile political personalities in Ukraine and Russia on the following topics:
Suicide car bomb targets NATO troop convoy Kabul
Syrian troops make gains as Putin defends airstrikes
Israel launches airstrikes on targets in Gaza
Russia warns of responses to reported US nuke buildup in Turkey, Europe
US military reports 75 US-trained rebels return Syria
The mails contained URLs which hosted the exploit. The attacks are believed to be initiated in Russia.
We would suggest our readers to remove Flash completely from their systems and use modern technologies likes HTML5 in their browsers. Some alternatives are available too.