The vulnerability is being exploited by a cyberespionage group targeting governments, NATO and the media, researchers warn.
A day after releasing its monthly security update, Adobe confirmed it has discovered a new vulnerability in Flash Player that affects every version running on the Windows, Macintosh and Linux operating systems.
Adobe said Thursday that it will issue an out-of-cycle security update next week to address the software plug-in’s vulnerability, which it warned could crash and potentially allow an attacker to take control of the affected system. The bug was discovered earlier this week by researchers at Trend Micro.
“Adobe is aware of a report that an exploit for this vulnerability is being used in limited, targeted attacks. Adobe expects to make an update available during the week of October 19,” the company said in its advisory.
The San Jose, California-based software maker did not immediately respond to a request for more information on the vulnerability.
The vulnerability in the widely used plug-in is already being used in phishing attacks launched by cyberespionage group Pawn Storm against a variety of governments, according to Trend Micro. Active since 2007, the group is known to have targeted governments in Europe, Asia and the Middle East, as well NATO organizations, the White House and US media, Trend Micro reported.
Adobe’s Flash was once the de facto standard for websites to run games, stream video and deliver animation over browser software. It has fallen out of favor, however, with many tech companies and organizations, which deride the plug-in as a battery hog and security vulnerability. In its heyday, Flash ran on more than 800 million mobile phones manufactured by 20 handset makers. Its popularity has waned in recent years as more in the online video industry turn to HTML5, a developing language that can run graphics without plug-ins.
Following Steve Jobs’ high-profile open letter attacking Flash in 2010, a chorus of voices in the tech community has called for the software to be retired. In August, Google announced it would no longer automatically play advertisements made with Flash on its Chrome browser, the most popular Web browser in the world. In July, a day after Facebook security chief Alex Stamos said that “it is time for Adobe to announce the end-of-life date for Flash,” Mark Schmidt, the head of Firefox support, declared that Flash is “blocked by default in Firefox as of now.”
Citing Flash’s poor track record with security, some researchers recommend Web users disable or remove the plug-in altogether.
“2015 has been a very bad year for the Flash Player and given that a patch won’t be available for several more days it is crucial to take immediate action to protect yourself,” Jerome Segura, a senior malware researcher at Malwarebytes, wrote in a blog post Wednesday. “Indeed, this window of opportunity is something that exploit kit authors have taken advantage of in the past to infect scores of end users.”