Adobe says Flash fix will ship next week

On Wednesday, Adobe confirmed reports from Trend Micro surrounding a new vulnerability in Flash that’s being used in attacks against high-profile targets in government affairs.

The vulnerability has been tied to a number of Phishing campaigns that are part of what Trend Micro is calling Operation Pawn Storm. Some of the earliest attacks date back to June of 2014.

“Pawn Storm is a long-running cyber-espionage campaign known for its high-profile targets and usage of the first Java zero-day we’ve seen in the last couple of years… In our latest research, we find that the Russian spies behind Pawn Storm apparently do not discriminate,” Trend explained.

“In this most recent campaign, Pawn Storm targeted several foreign affairs ministries from around the globe. The targets received spear phishing e-mails that contained links leading to the exploit. The emails and URLs were crafted to appear like they lead to information about current events…”

In their advisory, Adobe confirmed Trend’s findings, and said that a patch for the newly circulated Flash vulnerability will be issued sometime next week.

“A critical vulnerability (CVE-2015-7645) has been identified in Adobe Flash Player 19.0.0.207 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. Adobe would like to thank Peter Pi of Trend Micro for reporting CVE-2015-7645 and for working with Adobe to help protect our customers,” the advisory said.

While it might be easier to recommend uninstalling Flash, the reality is that such an option isn’t available in most corporate environments. However, limiting access to Flash, and preventing it from running unless needed (such as what’s done in Firefox) makes sense – especially now.

But, if Flash isn’t needed – remove it. Thanks to HTML 5, most applications online work fine without it.