New zero-day exploit hits fully patched Adobe Flash [Updated]
Update on October 14 at 1:15pm PDT: Adobe officials have confirmed this vulnerability affects Flash version 18.104.22.168, which was released on Tuesday. The vulnerability has been cataloged as CVE-2015-7645. The company expects to release a fix next week.
Attackers are exploiting a previously unknown vulnerability in fully patched versions of Adobe’s Flash Player so they can surreptitiously install malware on end users’ computers, security researchers warned Tuesday.
So far, the attacks are known to target only government agencies as part of a long-running espionage campaign carried out by a group known as Pawn Storm, researchers from antivirus provider Trend Micro said in a blog post published Tuesday. It’s not unusual for such zero-day exploits to be more widely distributed once the initial element of surprise wanes. The critical security flaw is known to reside in Flash versions 22.214.171.124 and 126.96.36.199 and may also affect earlier versions. At this early stage, no other technical details are available. The researchers wrote: