Adobe rushes out fast Flash fix for security flaw exploited by Pawn Storm hackers

Something for the weekend from Adobe

Adobe has surprised everyone by rushing out a fix to a critical zero-day flaw in Flash, which is already known to be exploited "in the wild" by a Russian hacking group.

The company had claimed that it would issue a fix some time next week, after anti-virus software company Trend Micro issued a warning over the security flaw, which came just hours after Adobe had issued a massive series of security patches to fix vulnerabilities in both its Flash and Acrobat document creation and reader software.

The security flaw affects versions of Flash running on Windows, Mac, Linux and ChromeOS, and has been exploited by "Pawn Storm", a hacking group believed to operate from Russia. It typically targets governmental, industrial and critical infrastructure organisations in Eastern Europe, as well as organisations like NATO.

Adobe has worked with Google's Project Zero over the past year in a bid to reduce the large volume of security flaws in its Flash software. It has even led to people like Facebook chief security officer Alex Stamos to suggest that the software should be phased out and, indeed, the level of security flaws in Adobe Flash has helped encourage the adoption of HTML 5 as an alternative for online video.

Trend Micro threats analyst Peter Pi described how the newly discovered security flaw works in technical detail in a blog post published today. He labelled it as "the most interesting Flash vulnerability I have ever analysed".

He continued: "Adobe introduced several mitigation techniques for Flash exploits earlier this year, co-working with Google Project Zero. These mitigation techniques focused on reducing Vector. < *> exploits, because a corrupted Vector. < *> was frequently used to achieve the ability to read and write arbitrary parts of memory," Pi explained in a blog post.

He added: "This allows various security techniques like DEP/ASLR/CFG/EMET to be bypassed and achieve remote code execution (RCE) within the browser process. Once these mitigations were put in place, the exploits in the wild decreased, but they did not completely disappear. This latest vulnerability is the first zero-day exploit discovered in the wild after these mitigations were added."