Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. It addresses a critical vulnerability that could potentially allow an attacker to take control of the affected system.
Adobe is aware of reports that the vulnerability is being actively exploited via limited, targeted attacks. Systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets.
Adobe recommends users update their product installations to the latest versions:
- Users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh should update to Adobe Flash Player 126.96.36.199.
- Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 188.8.131.526.
- Users of Adobe Flash Player for Linux should update to Adobe Flash Player 184.108.40.2068.
- Adobe Flash Player installed with Google Chrome and Adobe Flash Player installed with Internet Explorer on Windows 8.x will automatically update to version 220.127.116.11.
The bug, which affects how Flash Player plays video files, lets an attacker use a carefully made video file to seize control of a user’s computer. It was made public last week by security research firm FireEye, who discovered the flaw and reported it to Adobe.
The vulnerability has already been used by a Chinese hacking group known as “APT3 (Advanced Persistent Threat 3)”. The group was sending phishing emails aimed at organisations in the aerospace, defence, construction, engineering, high tech, telecommunications and transportation industries, which installed custom backdoor on the victim’s computers.
“This group is one of the more sophisticated threat groups and they have a history of introducing new browser-based zero-day exploits (e.g. Internet Explorer, Firefox, and Adobe Flash Player),” FireEye writes. A zero-day exploit is one which has never been used before, exposing a vulnerability in software or hardware which can create complicated problems well before anyone realizes something is wrong.
A further warning was put out after it made its way into the popular exploit kit called ‘Magnitude’. Kits such as Magnitude let would-be malware authors put together their software without having to write the exploits, and this has already been used to try and install ransomware on victims’ computers.
The publisher has now made a patch available, which can be downloaded using the auto-updater included with Flash.