Emergency Flash update plugs zero-day exploited in the wild

Adobe released a Flash Player update to fix the zero-day vulnerability that has been spotted being exploited by Pawn Storm hackers.

The latest version of Flash Player for Windows and OS X (v19.0.0.226) and for Linux (v11.2.202.540) plugs three distinct holes, which can lead to a total compromise of the targeted systems.

This patch was scheduled for this week, but Adobe got a move on it and released it on Friday.

The Pawn Storm attackers used the flaw to target foreign affairs ministries from around the globe. The attack and the exploit was discovered by Trend Micro threats analyst Peter Pi, but Natalie Silvanovich of Google Project Zero detected the flaw and reported it two weeks before it was found exploited in the wild.

“Our analysis of the Adobe Flash zero-day vulnerability used in the latest Pawn Storm campaign reveals that the previous mitigation techniques introduced by Adobe were not enough to secure the platform,” Pi noted in a post following the release of the Flash update.

Adobe introduced several mitigation techniques for Flash exploits earlier this year, co-working with Google Project Zero. These mitigation techniques focused on reducing Vector.<*> exploits, because a corrupted Vector.<*> was frequently used to achieve the ability to read and write arbitrary parts of memory,” he explained.

“Once these mitigations were put in place, the exploits in the wild decreased, but they did not completely disappear. This latest vulnerability is the first zero-day exploit discovered in the wild after these mitigations were added.”

Users who haven’t given up on Flash yet are advised to implement the update as soon as possible.