raywoo - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Adobe patches Flash zero-day used in foreign ministry attacks

Adobe has released an emergency patch for Flash zero-day vulnerabilities that have been exploited in the wild in attacks on foreign affairs ministries.

Adobe has been no stranger to Flash zero-day exploits in recent months, but the newest vulnerabilities to be fixed with an emergency patch have reportedly been used in targeted attacks against foreign affairs ministries in a spear-phishing campaign, called Operation Pawn Storm.

Adobe acknowledged the flaws and released bulletin APSB15-27, which fixes a few critical vulnerabilities, including CVE-2015-7645 used in Pawn Storm, according to Trend Micro Inc.

In the attacks, high-profile political targets in NATO, the White House, as well as Ukraine and Russia received emails with what appeared to be headlines for current events. However, the links directed either to malicious Adobe Flash SWF files or to fake Outlook Web App login pages.

Google alerted Adobe to the Flash vulnerability on Sept. 29, about two weeks before exploits were seen in the wild.

Jean Taggart, senior security researcher for Malwarebytes Labs in San Jose, Calif., said it is time for enterprises and especially government agencies to move on from Flash.

"Everyone should be migrating to HTML5 as fast as possible -- governments even more so," Taggart said. "Flash is one, if not the preferred attack vector for malicious actors. Everyone should disable it, or at the very least, employ some anti-exploit mitigation mechanism."

Taggart admitted that the cost and difficulty of transitioning away from Flash can vary considerably, but organizations and government agencies at least need to have a plan in place and be aware of the issues that may arise.

"There are exploit mitigation programs that can be deployed if the migration is expected to be lengthy, but Flash has become a technology where the risks outweigh the benefits," Taggart said. "Having personally used [Flash on-demand] technologies, I can attest that your browsing experience is fundamentally changed. I understand sysadmins would not relish the queue of complaint tickets deploying a 'play-on-demand' solution would generate. It is better to concentrate on migrating to HTML5."

Next Steps

Learn how sandboxes benefit network protection and malware defense.

Be surprised by how many Adobe Flash zero-day vulnerabilities have been discovered this year.

Find out about Project Shumway, another possible Flash replacement.

Dig Deeper on Microsoft Patch Tuesday and patch management