Adobe has decided to patch the zero day vulnerability that was disclosed in Flash Player earlier this week today — instead of next week as originally scheduled.
According to a security bulletin Adobe posted this morning the update actually fixes three vulnerabilities in the software, but the most pressing one is the zero day, CVE-2015-7645, the company said is being used in limited, targeted attacks.
The flaw, a type confusion vulnerability, has been tied to attacks carried out by a Russian-speaking APT group operating under the guise of Pawn Storm, or APT 28. Type confusion vulnerabilities occur when code doesn’t verify the type of object that’s passed to it, and uses it without type-checking.
Researchers with Trend Micro, who discovered the zero day, said this week that exploits leveraging CVE-2015-7645 were being circulated via spear phishing emails targeting foreign affairs ministries. The attack vector is right in Pawn Storm’s wheelhouse. In the past the group has been spotted targeting NATO, Eastern European government agencies, and other critical industries.
The patch also addresses two other type confusion vulnerabilities, CVE-2015-7647 and CVE-2015-7648, both discovered by Natalie Silvanovich, a researcher with Google’s Project Zero.
All of the bugs could lead to code execution and potentially allow an attacker to take control of the affected system.
The latest version, 220.127.116.11 for both Windows and Macintosh, trumps what was thought to be week’s only update, 18.104.22.168, pushed out just three days ago, alongside patched versions of Acrobat and Reader, as part of Patch Tuesday.