Adobe has been no stranger to Flash zero-day exploits in recent months, but the newest vulnerabilities to be fixed...
with an emergency patch have reportedly been used in targeted attacks against foreign affairs ministries in a spear-phishing campaign, called Operation Pawn Storm.
In the attacks, high-profile political targets in NATO, the White House, as well as Ukraine and Russia received emails with what appeared to be headlines for current events. However, the links directed either to malicious Adobe Flash SWF files or to fake Outlook Web App login pages.
Google alerted Adobe to the Flash vulnerability on Sept. 29, about two weeks before exploits were seen in the wild.
Jean Taggart, senior security researcher for Malwarebytes Labs in San Jose, Calif., said it is time for enterprises and especially government agencies to move on from Flash.
"Everyone should be migrating to HTML5 as fast as possible -- governments even more so," Taggart said. "Flash is one, if not the preferred attack vector for malicious actors. Everyone should disable it, or at the very least, employ some anti-exploit mitigation mechanism."
Taggart admitted that the cost and difficulty of transitioning away from Flash can vary considerably, but organizations and government agencies at least need to have a plan in place and be aware of the issues that may arise.
"There are exploit mitigation programs that can be deployed if the migration is expected to be lengthy, but Flash has become a technology where the risks outweigh the benefits," Taggart said. "Having personally used [Flash on-demand] technologies, I can attest that your browsing experience is fundamentally changed. I understand sysadmins would not relish the queue of complaint tickets deploying a 'play-on-demand' solution would generate. It is better to concentrate on migrating to HTML5."
Find out about Project Shumway, another possible Flash replacement.