• Skip to Content
  • Skip to Main Navigation
  • Skip to Search

Indiana University Indiana University IU

Open Search
  • Personal Preparedness
    • Keeping data safe
    • Email & phishing scams
    • IU passphrases
    • Using social media
    • Web privacy
    • File sharing & copyright
      • Contesting copyright infringement notices
      • Disabling peer-to-peer file sharing
      • Copyright tutorial
      • Copyright infringement incident resolution
    • Account privileges
    • Vulnerability Disclosure Guidance
    • Secure data removal
    • Remote Desktop
    • Hardware & software security
      • Laptop & mobile device security
      • Malware, scareware, & ransomware
      • Storage drives
      • Wearable technologies
      • Protecting data in copiers and multifunction devices
      • Use of survey software
      • Solid State Drives
    • Cybersecurity while traveling
    • Identity verification
  • Information & IT Policies
    • The Policy Hierarchy explained
    • Privacy policies & FAQ
    • Acceptable Use Agreement
    • Information & IT Policy Process
    • Cyber Risk Review
    • Federal & international regulations
    • Indiana Data Protection laws FAQ
    • IT-12.1 Mobile Device Security Standard
  • Information Security & Privacy Program
    • Safeguards
      • Risk assessment and treatment
      • Policy administration
      • Organization
      • Asset management
      • Human resources
      • Physical & environmental security
      • Communications & operations management
      • Identity & access control
      • Information systems acquisition, development, and maintenance
      • Incident management
      • Business continuity management
      • Compliance
    • Governance
    • Principles
  • Protecting Data
    • Privacy matters
      • Privacy harms
      • Privacy principles
      • Understanding and protecting privacy
    • Sensitive data
      • Guidelines
    • Sharing institutional data with third parties
  • Resources for IT Professionals
    • Information Risk Assessments
    • SecureMyResearch
    • Cloud computing
    • Audits & requirements
    • Data encryption
    • Back up data
    • Information security best practices
    • CIS Secure Suite
    • Disaster recovery planning
    • Managing employee data
    • Medical device security
    • Transferring data securely
    • Using SSH
    • Additional resources
      • Privacy Notice Generator
      • Training & awareness
      • Incident Response Webservice
      • Penetration test
      • SSL/TLS certificates
      • Vulnerability scanners
  • About
    • Glossary of Terms
    • Trustees Resolution
  • Contact
  • Report an Incident
    • Report Privacy Incident or Request Assistance
    • Emergency IT Incidents
    • Managing Incidents
    • Identity Theft
    • Reporting Suspected Sensitive Data Exposures

Information Security & Policy

  • Home
  • Personal Preparedness
    • Keeping data safe
    • Email & phishing scams
    • IU passphrases
    • Using social media
    • Web privacy
    • File sharing & copyright
    • Account privileges
    • Vulnerability Disclosure Guidance
    • Secure data removal
    • Remote Desktop
    • Hardware & software security
    • Cybersecurity while traveling
    • Identity verification
  • Information & IT Policies
    • The Policy Hierarchy explained
    • Privacy policies & FAQ
    • Acceptable Use Agreement
    • Information & IT Policy Process
    • Cyber Risk Review
    • Federal & international regulations
    • Indiana Data Protection laws FAQ
    • IT-12.1 Mobile Device Security Standard
  • Information Security & Privacy Program
    • Safeguards
    • Governance
    • Principles
  • Protecting Data
    • Privacy matters
    • Sensitive data
    • Sharing institutional data with third parties
  • Resources for IT Professionals
    • Information Risk Assessments
    • SecureMyResearch
    • Cloud computing
    • Audits & requirements
    • Data encryption
    • Back up data
    • Information security best practices
    • CIS Secure Suite
    • Disaster recovery planning
    • Managing employee data
    • Medical device security
    • Transferring data securely
    • Using SSH
    • Additional resources
  • Search
  • About
  • Contact
  • Report an Incident
  • Home
  • Security Bulletins
  • Actively Exploited Zero-Day Flash Vulnerability

Zero-day vulnerability in Flash being exploited, updates available

Friday, October 16, 2015

Editors note: This bulletin was posted on Oct. 15 and updated on Oct. 16.

Adobe Flash updates available

Many vendors have released patches for applications that use Adobe Flash Player. To see a list of the latest Flash Player version information for commonly used operating system platforms and browsers, please visit:

About Adobe Flash Player

Adobe recommends that all Flash Player users upgrade to the most recent version of the player through the Player Download Center to take advantage of security updates.

Background

A new zero-day vulnerabilityhas been disclosed for Adobe Flash player. On Oct. 13, an external security group report that this vulnerability is actively being exploited in the wild. To date, this exploit has been observed in use against international political targets (NATO, the White House, high profile Ukrainian and Russian political figures) as part of a campaign called "Operation Pawn Storm". However, there is no indication that use of this exploit will remain isolated to those groups, nor that Operation Pawn Storm participants are the only ones in possession of exploit code.

Adobe states that they expect to make a fix available during the week of Oct. 19.

Impact

Spam messages disguised as international current events stories contain links to URLs hosting the exploit. Clicking these links will run the exploit, which can allow an attacker to gain control of the system without further user interaction.

Platforms affected

  • Adobe Flash Player 19.0.0.207 and earlier versions for Windows and Macintosh
  • Adobe Flash Player Extended Support Release version 18.0.0.252 and earlier 18.x versions
  • Adobe Flash Player 11.2.202.535 and earlier 11.x versions for Linux

Local observations

Updates will be available to the IU community via Secunia CSI and the IU Microsoft Update Service as soon as they are released by Adobe. To date, no active use of the exploit has been reported or observed at IU, but users should exercise caution regardless of network location.

UISO recommendations

To help mitigate the potential for exploitation, users should enable Click-to-Play for the Adobe Flash Player browser add-on. Users should update Flash when the latest patches become available, or remove Flash from computers that do not require it.

Be wary of links sent in email. Since current use of the exploit is via spear phishing campaigns, take extra caution with links, even those that appear to come from individuals or groups you trust. Best practice is not to click links in emails, but rather to manually navigate to websites yourself.

Further reading

  • Adobe's security bulletin on this vulnerability
  • Trend Micro's security bulletin, and their latest update on the "Operation Pawn Storm" spear phishing campaign using this exploit
  • Protect yourself from phishing scams
  • Adobe's Player Download Center site on adobe.com
  • Enabling 'Click-to-Play' for the Adobe Flash Player add-on on howtogeek.com
  • IU Knowledge Base article on Windows Server Updates Service
  • Background information on Spear Phishing: From Kaspersky labs

Information Security & Policy resources

  • Leading in Cybersecurity
  • IU Data Management

Indiana University

Accessibility | Privacy Notice | Copyright © 2021 The Trustees of Indiana University