Lucene search

K
thnKhyati JainTHN:99BDD62C6BCF9B3765B670679C0892A8
HistoryOct 16, 2015 - 10:06 p.m.

Emergency Patch released for Latest Flash Zero-Day Vulnerability

2015-10-1622:06:00
Khyati Jain
thehackernews.com
17

0.974 High

EPSS

Percentile

99.9%

Flash Zero-Day Vulnerability: Security Patch Update Released

Two days ago, The Hacker News (THN) reported about the Zero-day vulnerability in the freshly patched Adobe Flash Player. The vulnerability was exploited in the wild by a well-known group of Russian hackers, named “Pawn Storm,” to target several foreign affairs ministries worldwide.

The zero-day flaw allowed hackers to have complete control of the users’ machine, potentially putting all the Flash Player users at a potentially high risk.

Since then, there was no patch available to make flawed utility safe.

However, Adobe has now patched the zero-day vulnerability, along with some critical vulnerabilities whose details are yet to be disclosed.

Yesterday, the company published a post on their official security bulletin (APSB15-27) detailing the risks associated with the zero-day and how a user can get rid of them.

The critical vulnerabilities are assigned following CVE numbers:

  • CVE-2015-7645
  • CVE-2015-7647
  • CVE-2015-7648

Also, Adobe is known to the fact that the hackers had exploited the zero-day flaw (CVE-2015-7645) for conducting limited, targeted attacks. Therefore, it gets CVSS severity score of 9.3 (High), measured by National Vulnerability Database (NVD).

Affected Versions and Software

The zero-day flaw was such that it affected:

  • Adobe Flash Player 18.x through 18.0.0.252 on Microsoft’s Windows and Mac OS X.
  • Adobe Flash Player 19.x through 19.0.0.207 on Microsoft’s Windows and Mac OS X.
  • Adobe Flash Player 11.x through 11.2.202.535 on Linux.

Further as an outcome, the zero-day allowed intruders to remotely execute some random code through a crafted SWF (Small Web Format) file, which is an Adobe Flash File format for efficient delivery of video and audio over the web.

Simultaneously, with the patch Adobe also lists out several affected Adobe Flash products namely:

  1. Adobe Flash Player Desktop Runtime
  2. Adobe Flash Player Extended Support Release
  3. Adobe Flash Player for Google Chrome
  4. Adobe Flash Player for Google Chrome
  5. Adobe Flash Player for Microsoft Edge and Internet Explorer 11
  6. Adobe Flash Player for Internet Explorer 10 and 11
  7. Adobe Flash Player for Linux

Also, Adobe and its PSIRT (Product Security Incident Response Team) thanked Trend Micro and**Google Project Zero **for detection and analysis of exploit and vulnerability research respectively.

To conclude, with all the serious cyber attacks targeting Adobe Flash Player in the past and present; Flash must go away!

As this time also, the foreign affairs ministries are falling prey to dangerous “Phishing attacks,” where the victims are getting emails with subjects containing current happenings and the message contains a link (URL) that redirects the victim to the exploit set up by an attacker.

Time to Say Good Bye to Flash

It is been 20 years that Adobe Flash is making the Web a slightly more interesting and interactive place. But…

…within three months this year (Since July- till date) Adobe Flash player has been a regular on the bulletin board with many Unknown vulnerabilities discovered and exploitable in it.

Moreover, in return putting many users at risk.

At the beginning of this year, YouTube moved away from Flash for delivering videos. Moreover, Firefox also blocked the Flash plugin entirely.

Facebook’s Security Chief publicly called for Adobe to announce a ‘kill-date for Flash.’ Google Chrome has also begun blocking auto-playing Flash ads by default.

Therefore, if you want your information to stay only with you then say “Good Bye to Flash.”