Adobe has released patches for multiple vulnerabilities in its Flash Player application ahead of schedule, including a zero-day exploit (CVE-2015-7645) that is known to have been used in a targeted espionage campaign.
On Friday, the United States Computer Emergency Readiness Team (US-CERT) issued a statement directing users to ASPB15-27, Adobe’s latest security bulletin that addresses three vulnerabilities in Flash Player: CVE-2015-7645, CVE-2015-7647, and CVE-2015-7648.
“Adobe has released security updates for Adobe Flash Player,” the bulletin begins. “These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit for CVE-2015-7645 is being used in limited, targeted attacks.”
Last week, following Adobe’s release of approximately 70 security fixes for vulnerabilities found in Flash, Acrobat, and Reader, Peter Pi, a threat analyst with global security software company Trend Micro, announced that he had discovered a new zero-day in Flash Player that actors associated with the Pawn Storm espionage campaign have been leveraging to target foreign ministries around the world.
Pi promptly contacted Adobe about the exploit and has subsequently been acknowledged by the company in ASPB15-27 along with Natalie Silvanovich of Google Project Zero, an initiative which collaborated with Adobe in introducing new exploit mitigations to Flash Player earlier this year.
“These mitigation techniques focused on reducing Vector.<*> exploits, because a corrupted Vector.<*> was frequently used to achieve the ability to read and write arbitrary parts of memory,” explains Pi in a recent blog post. “This allows various security techniques like DEP/ASLR/CFG/EMET to be bypassed and achieve Remote Code Execution (RCE) within the browser process. Once these mitigations were put in place, the exploits in the wild decreased, but they did not completely disappear. This latest vulnerability is the first zero-day exploit discovered in the wild after these mitigations were added.”
Users are urged to update to the newest version of Adobe Flash Player (18.104.22.168). You can check to see which version you have installed here, or you can download the newest version of Flash Player directly from here.