Analecta Cyber Company Blog: Emergency Patch released for Latest Flash Zero-Day Vulnerability

2015-11-25

Emergency Patch released for Latest Flash Zero-Day Vulnerability

Just as the last quarter of the year had started, reports came out about the zero-day vulnerability in the newly patched Adobe Flash Player.

Pawn Storm, a well-known group of Russian hackers, exploited the vulnerability and targeted several foreign affairs ministries around the world. The flaw allowed intruders to remotely execute random codes via a crafted SWF (Small Web Format) file  in the Adobe Flash File format.



It allowed allowed hackers to gain complete control of users' machines, potentially putting all the Flash Player users around the globe at risk.

The critical vulnerabilities discovered include the following: CVE-2015-7645, CVE-2015-7647, and CVE-2015-7648.

Adobe had no immediate patch for the flaw. Nonetheless, the company has now patched the vulnerability along with fixing some other undisclosed critical vulnerability. On a post published by the company on its official security bulletin (APSB15-27), Adobe detailed the risks associated with the zero-day and how a user can get rid of them.

Versions of Flash and other products affected

Adobe got a CVSS high severity score of 9.3 as measured by National Vulnerability Database (NVD) due to the fact that the hackers had exploited the zero-day flaw. Affected Adobe Flash Player includes the following:

  • Adobe Flash Player 18.x through 18.0.0.252 on Microsoft's Windows and Mac OS X.
  • Adobe Flash Player 19.x through 19.0.0.207 on Microsoft's Windows and Mac OS X.
  • Adobe Flash Player 11.x through 11.2.202.535 on Linux.

For security purposes, the newly released patch includes other Adobe Flash products that might be affected by the vulnerability. These are:

  • Adobe Flash Player Desktop Runtime
  • Adobe Flash Player Extended Support Release
  • Adobe Flash Player for Google Chrome
  • Adobe Flash Player for Google Chrome
  • Adobe Flash Player for Microsoft Edge and Internet Explorer 11
  • Adobe Flash Player for Internet Explorer 10 and 11
  • Adobe Flash Player for Linux

Over just a few months this year, Adobe Flash Player has been a regular target of attackers exploiting numerous unknown vulnerabilities and putting many users at risk. For now, several major companies have moved away from Flash for delivering videos. YouTube, Firefox, Google Chrome and even Facebook were some of the companies that have expressed the same opinion.