Adobe on Wednesday has released an emergency patch
for its Flash Player browser plug-in due to a critical flaw
that is being actively exploited in the wild. Flash Player 220.127.116.11 and earlier for Windows and Macintosh systems are affected by the issue, as is version 18.104.22.1686 for Linux 11.x versions. The attack, called APT3 for the China-based organization from which it originates, uses spam "phishing" emails targeted at industry professionals to gain credentials used to steal intellectual property data.
The hacker group is "responsible for the so-called Clandestine Fox operation has been exploiting the latest Flash zero day since early this month, via phishing emails targeting aerospace and defense, construction and engineering, high tech, telecommunications, and transportation organizations," said Kaspersky's ThreatPost blog, and quoted FireEye's Mike Oppenheim as saying that while Adobe has acted fairly quickly on developing a fix after being notified privately of the flaw two weeks ago, those who are not up-to-date with today's patch are still at risk.
"Any time one of these groups is using a zero day [exploit] and casting such a wide net, it's pretty significant, especially since the activity started in early June, and a patch was not released until today," Oppenheim said. "That's a big window, and possibly tons of victims are affected."
The professional users targeted in the phishing emails are usually receiving suspicious emails about deeply-discounted Apple products, as many high-tech industries now use iOS devices and Macs for enterprise purposes. "The emails contain links to attacker-controlled websites where the Flash exploit is downloaded quietly onto a victim's machine, as is the backdoor for moving data and dropping additional malware," said Kaspersky. The full report from FireEye is available here
Adobe's updates for Flash Player generally extend no further back than OS X 10.6, and so any machines running older versions of OS X are advised to disable Flash functionality entirely. Windows systems running XP and earlier are also advised to disable Flash if it cannot be updated to the latest version.