Adobe has issued a raft of remote code execution (RCE) flaw patches for Flash, Reader and Acrobat, but a Flash zero day is being used in Pawn Storm phishing
Adobe has patched 69 flaws in Reader, Acrobat and Flash but it is unclear whether the company has fixed yet another zero-day vulnerability in the latter which researchers claim is being used in the ‘Pawn Storm’ phishing campaign.
Pawn Storm is well known for its high-profile targets and researchers at TrendMicro note the URLs hosting the exploit are similar to those used in attacks targeting NATO and the White House earlier this year. TrendMicro has been monitoring the campaign for some time.
“In this most recent campaign, Pawn Storm targeted several foreign affairs ministries from around the globe,” said the security firm. “The targets received spear phishing e-mails that contained links leading to the exploit. The emails and URLs were crafted to appear like they lead to information about current events.”
Example of such subjects included “Suicide car bomb targets NATO troop convoy Kabul”, “Syrian troops make gains as Putin defends air strikes”, “Israel launches airstrikes on targets in Gaza”, “Russia warns of response to reported US nuke build-up in Turkey, Europe” and “US military reports 75 US-trained rebels return Syria.”
“Foreign affairs ministries have become a particular focus of interest for Pawn Storm recently,” added the firm. “Aside from malware attacks, fake Outlook Web Access (OWA) servers were also set up for various ministries. These are used for simple, but extremely effective, credential phishing attacks. One Ministry of Foreign Affairs got its DNS settings for incoming mail compromised. This means that Pawn Storm has been intercepting incoming e-mail to this organisation for an extended period of time in 2015.”
The researchers say the flaw affects at least versions 220.127.116.11 and 18.104.22.168 of Flash and have notified Adobe. However it is unclear whether the raft of updates have repaired the vulnerability. Adobe says none of the bugs it has identified have been seen in the wild, although one bug reported by TrendMicro has been fixed. TechWeekEurope has asked Adobe for clarification.
All the patches are deemed ‘critical’ because they could allow a remote attacker to take control of a system.
“APSB15-24 for Reader andAPSB15-25 for Flash address a number of critical vulnerabilities (over 50 for Reader) that would allow an attacker to execute code within the context of the user,” said Wolfgang Kandek, Qualys CTO. “Flash we recommend patching immediately. On the other hand Adobe’s Sandbox has been providing additional hardening to its PDF Reader and it has been over a year since we have seen PDF files used in exploits in the wild. Patch with within your normal patch cycle.”
The bugs will do nothing to calm fears about the security of Flash, which has been blocked by default, albeit temporarily, in Firefox and adverts using the software are automatically paused in Google Chrome.
Facebook’s new chief security officer Alex Stamos has also called on Adobe to set an end of life date for the much-maligned plug-in due to the sheer number of security threats.
Are you a security pro? Try our quiz!