Adobe Fixes 69 RCE Flaws As New Flash Zero Day Emerges

Adobe has patched 69 flaws in Reader, Acrobat and Flash but it is unclear whether the company has fixed yet another zero-day vulnerability in the latter which researchers claim is being used in the ‘Pawn Storm’ phishing campaign.

Pawn Storm is well known for its high-profile targets and researchers at TrendMicro note the URLs hosting the exploit are similar to those used in attacks targeting NATO and the White House earlier this year. TrendMicro has been monitoring the campaign for some time.

Pawn Storm

“In this most recent campaign, Pawn Storm targeted several foreign affairs ministries from around the globe,” said the security firm. “The targets received spear phishing e-mails that contained links leading to the exploit. The emails and URLs were crafted to appear like they lead to information about current events.”

Example of such subjects included “Suicide car bomb targets NATO troop convoy Kabul”, “Syrian troops make gains as Putin defends air strikes”, “Israel launches airstrikes on targets in Gaza”, “Russia warns of response to reported US nuke build-up in Turkey, Europe” and “US military reports 75 US-trained rebels return Syria.”

“Foreign affairs ministries have become a particular focus of interest for Pawn Storm recently,” added the firm. “Aside from malware attacks, fake Outlook Web Access (OWA) servers were also set up for various ministries. These are used for simple, but extremely effective, credential phishing attacks. One Ministry of Foreign Affairs got its DNS settings for incoming mail compromised. This means that Pawn Storm has been intercepting incoming e-mail to this organisation for an extended period of time in 2015.”

Adobe updates

The researchers say the flaw affects at least versions 19.0.0.185 and 19.0.0.207 of Flash and have notified Adobe. However it is unclear whether the raft of updates have repaired the vulnerability. Adobe says none of the bugs it has identified have been seen in the wild, although one bug reported by TrendMicro has been fixed. TechWeekEurope has asked Adobe for clarification.

All the patches are deemed ‘critical’ because they could allow a remote attacker to take control of a system.

“APSB15-24 for Reader andAPSB15-25 for Flash address a number of critical vulnerabilities (over 50 for Reader) that would allow an attacker to execute code within the context of the user,” said Wolfgang Kandek, Qualys CTO. “Flash we recommend patching immediately. On the other hand Adobe’s Sandbox has been providing additional hardening to its PDF Reader and it has been over a year since we have seen PDF files used in exploits in the wild. Patch with within your normal patch cycle.”

The bugs will do nothing to calm fears about the security of Flash, which has been blocked by default, albeit temporarily, in Firefox and adverts using the software are automatically paused in Google Chrome.

Facebook’s new chief security officer Alex Stamos has also called on Adobe to set an end of life date for the much-maligned plug-in due to the sheer number of security threats.

Are you a security pro? Try our quiz!

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

22 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

23 hours ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

24 hours ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago