Exploit hits fully patched Adobe Flash

According to an Adobe Security Bulletin, a critical vulnerability (CVE-2015-7645) has been identified in Adobe Flash Player 19.0.0.207 and earlier versions for Windows, Macintosh and Linux. This zero-day exploit can cause a crash and potentially allow attackers to take control of the affected systems.

So far, the attacks are known to target only government agencies as part of a long-running espionage campaign carried out by a group known as Pawn Storm, researchers from antivirus provider Trend Micro said.

As always, people should consider disabling Flash on as many sites as possible, since attackers do compromise trusted sites and use them to attack the people who visit them. Most browsers by default provide a click-to-play mechanism that blocks Flash-based content for each site visited unless explicitly approved by the end user. A more thorough approach is to uninstall Flash altogether.

Adobe is aware of a report that an exploit for this vulnerability is being used in limited, targeted attacks. Adobe expects to make an update available during the week of October 19.

Affected software versions

Adobe Flash Player 19.0.0.207 and earlier versions for Windows and Macintosh

Adobe Flash Player Extended Support Release version 18.0.0.252 and earlier 18.x versions

Adobe Flash Player 11.2.202.535 and earlier 11.x versions for Linux

Adobe categorizes this as a critical vulnerability.