Update: 20th October 2015:
Yesterday Microsoft updated their security advisory and issued a Flash Player update (to version v18.104.22.168) for Windows 8.0, Windows RT, Windows 8.1 and Windows 10 users. This update applies to both Microsoft Edge (Windows 10) and Internet Explorer users.
Google Chrome v46.0.2490.71 (Stable, 64 bit) has now also been updated to v22.214.171.124 of Flash Player. This update occurred silently in the background most likely using Google’s component update feature.
Update: 18th October 2015:
Adobe made available Flash Player v126.96.36.199 to address this zero day issue as well as 2 other critical CVEs (defined) earlier than expected on the 16th of October rather than during the week of October 19th.
At the time of writing this updated Flash Player was not available for users of Windows 8.0, 8.1 and 10 (despite Adobe mentioning the availability of these updates for such users in their security bulletin). Google Chrome v47.0.2526.16 (Beta, 64 bit) has been updated to Flash Player v188.8.131.52 while Google Chrome v46.0.2490.71 (Stable, 64 bit) remains at version v184.108.40.206.
I will update this post when these updates become more widespread.
An organized group of malicious hackers known as Pawn Storm are exploiting a zero day (defined) security vulnerability in Adobe Flash Player. At this time, there is no update available to address the issue being exploited. If you make use of Adobe Flash Player, the information below may be useful to you.
Why Should This Threat Be Considered Important?
As noted by Trend Micro, defending against zero-day exploits requires a defense-in-depth strategy (defined) since Flash Player is widely used and such exploits are likely to be difficult to detect due to obfuscation (further information on obfuscation techniques) as was the case with exploits used by the Angler exploit kit.
The means of exploiting this vulnerability is currently via targeted email messages a technique known as spear phishing (defined). These messages contain links to websites hosting exploits for this vulnerability. Further details of the subject lines and content of the emails to enable you to better defend yourself are provided in Trend Micro’s blog post.
As noted by Adobe in their security advisory successful exploitation of this vulnerability can result in an attacker gaining remote control over a device with Flash Player installed.
How Can I Protect Myself From This Issue?
- Exercise caution when reading emails that appear to contain interesting content from individuals that you may or may not know. Do not click on any links within those emails.
- Refer to Trend Micro’s blog post for additional tips on how to recognize the emails which attempt to exploit this vulnerability.
- Even if a defense-in-depth strategy (as mentioned above) is followed in your environment (e.g. corporate, small business etc.), I would recommend enabling Click-to-Play for your browser (supported by all major web browsers with the exception of Internet Explorer) so that Flash will ask permission before performing any action.
An update from Adobe is scheduled to be made available next week to address this vulnerability. Please install it as soon as possible upon it’s availability.