Russian hackers spark yet another Adobe Flash zero day security flaw warning

After this Tuesday's mega-patches, Adobe promises another one for some time next week

Adobe Flash, which Adobe lavished with patches just last Tuesday, has once again been made vulnerable following yet another zero day security flaw, which is already being exploited.

The attacks have been attributed to a Russian gang dubbed "Pawn Storm", also known as APT 28 and Tsar Team, by researchers at Trend Micro. Its previous targets have included NATO, Eastern European governmental agencies, telecoms companies, defence companies and critical utilities, such as energy.

"Pawn Storm's arsenal is not limited to Flash exploits. They have also used Microsoft Office zero days, and a Java zero day, the first publicly exploited in Java since 2013. The Java flaw was patched in July by Oracle," said Kaspersky's Threat Post website.

It continued: "According to Trend researchers, the current exploits against the Flash zero day are being spread in spear phishing emails with relevant political or military-themed subject lines. The emails contain links to websites hosting the zero day exploit."

In a warning updated yesterday, Adobe admitted that its Flash Player was being targeted. "A critical vulnerability (CVE-2015-7645) has been identified in Adobe Flash Player 19.0.0.207 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit for this vulnerability is being used in limited, targeted attacks," it admitted.

However, Adobe did not go into details about the precise nature of the flaw that is being exploited. The company is promising a new patch to fix it, but it will not be available until next week and Adobe has not fixed a date when the patch will be issued. Until then, Adobe Flash will remain vulnerable.

Users have long been advised to, at the very least, change the security settings in their browser to make Adobe Flash (as well as Acrobat Reader) "click to play", so that Flash plug-ins do not run automatically. Facebook's new chief security officer, Alex Stamos, for example, has called for Flash to be discontinued.

Many organisations are already shifting to HTML 5-based videos, especially following widespread advice that Flash ought to be discontinued.

UPDATE: Adobe has unexpectedly rushed out a fix for the security flaw today