Exploit hits fully patched Adobe Flash
According to an Adobe Security Bulletin, a critical vulnerability (CVE-2015-7645) has been identified in Adobe Flash Player 220.127.116.11 and earlier versions for Windows, Macintosh and Linux. This zero-day exploit can cause a crash and potentially allow attackers to take control of the affected systems.
So far, the attacks are known to target only government agencies as part of a long-running espionage campaign carried out by a group known as Pawn Storm, researchers from antivirus provider Trend Micro said.
As always, people should consider disabling Flash on as many sites as possible, since attackers do compromise trusted sites and use them to attack the people who visit them. Most browsers by default provide a click-to-play mechanism that blocks Flash-based content for each site visited unless explicitly approved by the end user. A more thorough approach is to uninstall Flash altogether.
Adobe is aware of a report that an exploit for this vulnerability is being used in limited, targeted attacks. Adobe expects to make an update available during the week of October 19.
Affected software versions
Adobe Flash Player 18.104.22.168 and earlier versions for Windows and Macintosh
Adobe Flash Player Extended Support Release version 22.214.171.124 and earlier 18.x versions
Adobe Flash Player 126.96.36.1995 and earlier 11.x versions for Linux
Adobe categorizes this as a critical vulnerability.