The latest version of Adobe Flash Player, which was made available on Tuesday, will have a short shelf life.
Adobe will release an emergency Flash update next week after public attacks were carried out against a zero day vulnerability in the latest version of the software, 126.96.36.199, for Windows and Macintosh systems.
Adobe said only that the Flash update will be available the week of Oct. 19; no specific date was set.
The attacks have been attributed to a Russian-speaking APT gang known as Pawn Storm, also known as APT 28 and Tsar Team, by researchers at Trend Micro. Past targets have included NATO, Eastern European government agencies, diplomatic interests, and critical industries including nuclear, telecommunications and the defense industrial base.
Pawn Storm’s arsenal is not limited to Flash exploits. They’ve also used Microsoft Office zero days, and a Java zero day, the first publicly exploited in Java since 2013. The Java flaw was patched in July by Oracle.
Adobe did not share many details on the vulnerability, CVE-2015-7645, other than an exploit could cause a crash and allow an attacker to remotely control the compromised computer.
In addition to Windows and Mac versions, Adobe is expected next week to also patch Adobe Flash Player Extended Support Release version 188.8.131.52 and earlier 18.x versions, and Adobe Flash Player 184.108.40.2065 and earlier 11.x versions for Linux.
According to Trend researchers, the current exploits against the Flash zero day are being spread in spear phishing emails with relevant political or military themed subject lines. The emails contain links to websites hosting the zero day exploit.
Earlier this year, Pawn Storm dropped as many as six zero days in targeted attacks carried out over a four-month period. Experts said this behavior is unusual given the value of zero days in commercial and underground markets. Researchers at iSight Partners told Threatpost that five of the six zero days used earlier this year were developed by the Pawn Storm gang, with the sixth a repurposed attack against Flash revealed in the breach against Hacking Team.
As recently as August, Pawn Storm surfaced again when it was discovered that a phony domain purportedly belonging to the Electronic Frontier Foundation was registered and used in spear phishing attacks pushing the patched Java zero day.
The EFF said at the time that the path and filename used in the exploit are the same as those used in other attacks carried out by Pawn Storm, particularly Sednit. The Sednit payload, which was analyzed earlier this summer, downloads a .DLL file, which is executed and opens a backdoor to several attacker-controlled domains that exfiltrate data.