Maybe you’re one of the many millions of people who use Adobe Flash on your computer.
Maybe you’re aware of the many security holes that are regular found in Flash, and diligently updated your copy earlier this week when Adobe released multiple security updates, many of which were categorised as “critical”.
Maybe you think your computer is safe from malicious hackers exploiting Flash flaws for a while, as you’re running the very latest version 220.127.116.11 of Adobe Flash.
But you’re not.
Just hours after releasing its regular “Patch Tuesday” bundle of security fixes, Adobe issued another security bulletin warning about a critical vulnerability that is being actively exploited by hackers to install malware onto computers in targeted attacks.
A critical vulnerability (CVE-2015-7645) has been identified in Adobe Flash Player 18.104.22.168 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe is aware of a report that an exploit for this vulnerability is being used in limited, targeted attacks. Adobe expects to make an update available during the week of October 19.
The group believed to be exploiting the flaw is the Pawn Storm hacking gang, whose secretive members have been running a sophisticated malware campaign targeting government, military and media organisations in the United States, Ukraine, and across Europe.
Typically the gang has sent carefully-crafted emails to its intended targets, with boobytrapped Word documents attached, or lured unsuspecting victims to visit watering holes poisoned with exploit kits targeting poorly patched web browsers.
According to researchers at Trend Micro, the latest Pawn Storm campaign has targeted several foreign affairs ministries, sending emails pointing to webpages containing the Flash exploit. The emails pretend to be about current affairs. Here are some examples of subject lines being used:
“Suicide car bomb targets NATO troop convoy Kabul”
“Syrian troops make gains as Putin defends air strikes”
“Israel launches airstrikes on targets in Gaza”
“Russia warns of response to reported US nuke buildup in Turkey, Europe”
“US military reports 75 US-trained rebels return Syria”
Clearly, the Pawn Storm group has particular targets in mind, and is focused on spying and stealing information from compromised government and military systems. And the hacking gang has had some high profile success in the past, having been implicated in a security breach at the White House.
The gang also has the resources to uncover new zero-day vulnerabilities. As well as this Flash flaw, for instance, it was found earlier in the year to be exploiting the first new zero-day vulnerability in Java to have been uncovered for a couple of years.
This has resulted in many people believing that Operation Pawn Storm is an example of state-sponsored cybercrime.
But even if you don’t work for a government, the military, a media organisation… even if you aren’t a political activist who has ruffled a few feathers… it makes sense to keep your systems protected and running the very latest versions of software.
Unfortunately for computer users, the vulnerability is present in the latest Adobe Flash Player 22.214.171.124, as well as earlier versions for Windows and Macintosh. (Sorry, Linux lovers it’s also in the Flash 126.96.36.1995 and earlier for your platform too).
One step you could take is to consider completely uninstalling Flash from your computer.
That’s a decision that more people are beginning to make, but I suspect that the majority of computer users aren’t quite ready for it.
Alternatively, consider enabling “Click to Play” in your browser.
With “Click to Play” enabled, your browser won’t render potentially malicious Flash content unless and until you give it specific permission. In other words, a maliciously coded Flash file won’t run unless you authorise it, rather than automatically executing when you visit a webpage.
Bear in mind that Flash is also integrated into Adobe AIR and Shockwave, and therefore they are vulnerable to attacks as well. In the case of Shockwave, it’s hardly used anymore – but many people still have it lurking on their computer. Unless you know that you need Shockwave, my recommendation is that you uninstall it.
Even though your own personal computer and business network may not be in the list of Pawn Storm’s targets, sooner or later you are going to have to address the Flash problem on your personal and work computers.
One user on Twitter summed up the situation well:
Start planning what you are going to do now, because with the constant barrage of newly discovered Flash exploits it doesn’t seem sustainable for the status quo to continue.
by Graham Cluley, ESET We Live Security