Two days ago, The Hacker News (THN) reported about the Zero-day vulnerability in the freshly patched Adobe Flash Player. The vulnerability was exploited in the wild by a well-known group of Russian hackers, named “Pawn Storm,” to target several foreign affairs ministries worldwide.
The zero-day flaw allowed hackers to have complete control of the users’ machine, potentially putting all the Flash Player users at a potentially high risk.
Since then, there was no patch available to make flawed utility safe.
However, Adobe has now patched the zero-day vulnerability, along with some critical vulnerabilities whose details are yet to be disclosed.
Yesterday, the company published a post on their official security bulletin (APSB15-27) detailing the risks associated with the zero-day and how a user can get rid of them.
The critical vulnerabilities are assigned following CVE numbers:
Also, Adobe is known to the fact that the hackers had exploited the zero-day flaw (CVE-2015-7645) for conducting limited, targeted attacks. Therefore, it gets CVSS severity score of 9.3 (High), measured by National Vulnerability Database (NVD).
The zero-day flaw was such that it affected:
Further as an outcome, the zero-day allowed intruders to remotely execute some random code through a crafted SWF (Small Web Format) file, which is an Adobe Flash File format for efficient delivery of video and audio over the web.
Simultaneously, with the patch Adobe also lists out several affected Adobe Flash products namely:
Also, Adobe and its PSIRT (Product Security Incident Response Team) thanked Trend Micro and**Google Project Zero **for detection and analysis of exploit and vulnerability research respectively.
To conclude, with all the serious cyber attacks targeting Adobe Flash Player in the past and present; Flash must go away!
As this time also, the foreign affairs ministries are falling prey to dangerous “Phishing attacks,” where the victims are getting emails with subjects containing current happenings and the message contains a link (URL) that redirects the victim to the exploit set up by an attacker.
It is been 20 years that Adobe Flash is making the Web a slightly more interesting and interactive place. But…
…within three months this year (Since July- till date) Adobe Flash player has been a regular on the bulletin board with many Unknown vulnerabilities discovered and exploitable in it.
Moreover, in return putting many users at risk.
At the beginning of this year, YouTube moved away from Flash for delivering videos. Moreover, Firefox also blocked the Flash plugin entirely.
Facebook’s Security Chief publicly called for Adobe to announce a ‘kill-date for Flash.’ Google Chrome has also begun blocking auto-playing Flash ads by default.
Therefore, if you want your information to stay only with you then say “Good Bye to Flash.”