Editors note: This bulletin was posted on Oct. 15 and updated on Oct. 16.
Adobe Flash updates available
Many vendors have released patches for applications that use Adobe Flash Player. To see a list of the latest Flash Player version information for commonly used operating system platforms and browsers, please visit:
Adobe recommends that all Flash Player users upgrade to the most recent version of the player through the Player Download Center to take advantage of security updates.
Background
A new zero-day vulnerabilityhas been disclosed for Adobe Flash player. On Oct. 13, an external security group report that this vulnerability is actively being exploited in the wild. To date, this exploit has been observed in use against international political targets (NATO, the White House, high profile Ukrainian and Russian political figures) as part of a campaign called "Operation Pawn Storm". However, there is no indication that use of this exploit will remain isolated to those groups, nor that Operation Pawn Storm participants are the only ones in possession of exploit code.
Adobe states that they expect to make a fix available during the week of Oct. 19.
Impact
Spam messages disguised as international current events stories contain links to URLs hosting the exploit. Clicking these links will run the exploit, which can allow an attacker to gain control of the system without further user interaction.
Platforms affected
- Adobe Flash Player 19.0.0.207 and earlier versions for Windows and Macintosh
- Adobe Flash Player Extended Support Release version 18.0.0.252 and earlier 18.x versions
- Adobe Flash Player 11.2.202.535 and earlier 11.x versions for Linux
Local observations
Updates will be available to the IU community via Secunia CSI and the IU Microsoft Update Service as soon as they are released by Adobe. To date, no active use of the exploit has been reported or observed at IU, but users should exercise caution regardless of network location.
UISO recommendations
To help mitigate the potential for exploitation, users should enable Click-to-Play for the Adobe Flash Player browser add-on. Users should update Flash when the latest patches become available, or remove Flash from computers that do not require it.
Be wary of links sent in email. Since current use of the exploit is via spear phishing campaigns, take extra caution with links, even those that appear to come from individuals or groups you trust. Best practice is not to click links in emails, but rather to manually navigate to websites yourself.
Further reading
- Adobe's security bulletin on this vulnerability
- Trend Micro's security bulletin, and their latest update on the "Operation Pawn Storm" spear phishing campaign using this exploit
- Protect yourself from phishing scams
- Adobe's Player Download Center site on adobe.com
- Enabling 'Click-to-Play' for the Adobe Flash Player add-on on howtogeek.com
- IU Knowledge Base article on Windows Server Updates Service
- Background information on Spear Phishing: From Kaspersky labs