Adobe Systems released emergency security updates for Flash Player in order to fix a vulnerability that has been exploited in attacks against users since earlier this month.
The attacks were discovered by security researchers from Kaspersky Lab and were launched from a website set up by the Syrian Ministry of Justice to receive complaints about law violations. It’s not clear who was behind the attack, but the site had been compromised in the past by hackers.
“We received a sample of the first exploit on April 14, while a sample of the second came on April 16,” Vyacheslav Zakorzhevsky, manager of the vulnerability research group at Kaspersky Lab said in a blog post Monday. “The first exploit was initially recorded by KSN [the Kaspersky Security Network] on April 9, when it was detected by a general heuristic signature.”
While the two exploits leveraged the same, previously unknown, vulnerability in Flash Player they targeted users in different ways. One exploit could have been used to infect any computer with Flash Player installed, but the second specifically required Adobe Flash Player 10 ActiveX and the Cisco MeetingPlace Express Add-In to be installed on the targeted systems.
The Cisco Unified MeetingPlace Express is a Web collaboration and video conferencing product developed by Cisco Systems and the Kaspersky researchers believe the exploit authors were trying to use it to spy on their targets.
Hackers flee the coop
It’s not known what kind of malware the exploits delivered because the payload files that they were designed to download and execute on the victim computers had been removed from the remote server where they were hosted by the time the attacks were discovered.
Given the nature of the site used to host the exploits and the fact that all identified victims—seven unique users—were based in Syria, “we believe the attack was designed to target Syrian dissidents complaining about the government,” Zakorzhevsky said.
The vulnerability was fixed Monday in the newly released Flash Player 22.214.171.124 for Windows and Mac and Flash Player 126.96.36.1996 for Linux. The Flash Player versions bundled with Google Chrome, Internet Explorer 10 on Windows 8 and Internet Explorer 11 on Windows 8.1, will get the fix automatically through the respective update mechanisms of those browsers.
“Although we’ve only seen a limited number attempts to exploit this vulnerability, we’re strongly recommending users to update their versions of Adobe Flash Player software,” Zakorzhevsky said via email. “It is possible that once information about this vulnerability becomes known, criminals will try to reproduce these new exploits or somehow get the existing variants and use them in other attacks.”
It’s likely that cybercriminals will try to profit from this vulnerability even with a patch available, because it will take some time for all users to update their Flash Player installations, Zakorzhevsky said. “Unfortunately this vulnerability will be dangerous for a while.”
News of this Flash Player zero-day exploit comes after Saturday Microsoft warned customers about attacks exploiting a previously unknown vulnerability in Internet Explorer.