UPDATED noon EDT, Friday Oct. 16, with news that Adobe has patched the latest flaw.
For what feels like the umpteenth time, a zero-day exploit has been found attacking Adobe Flash Player. This time, the exploit is part of an ongoing cyberespionage campaign possibly linked to Russia, but the fact that few users are affected (so far) doesn't diminish the chronic threat posed by Adobe's repeat offender of a browser plugin.
Adobe posted an advisory warning (opens in new tab) yesterday (Oct. 14) on its website, but no patch for the vulnerability has been released, despite a host of other patches having been pushed out the previous day. The warning states that Adobe doesn't expect a patch to be ready until next week.
The new Flash exploit is part of recent attacks by the spies behind the Pawn Storm campaign, which for the past year has been targeting potential adversaries of the Russian government. Security firm Trend Micro reports (opens in new tab) that the Flash exploit has been used in highly targeted spear-phishing attacks that sent email messages containing malicious Web links to "several foreign-affairs ministries from around the globe."
The emails bear subject lines such as "Russia warns of response to reported US nuke buildup in Turkey, Europe" and "Israel launches airstrikes on targets in Gaza." The expectation is that curious diplomats will click through to the malicious websites, thus compromising their Web browsers and, depending on the accompanying malware, their Windows, Mac or Linux computers.
Adobe states that "this vulnerability is being used in limited, targeted attacks," but in fact, it's yet another reminder that only you can prevent Flash attacks.
We advise all users to simply disable Flash. We walk you through most browsers in this tutorial, and there are instructions available at Laptop Mag if you use Microsoft's new Edge browser. Still need Flash for some reason? Here's how to set Flash to click-to-run, which will at least prevent malicious Flash exploits from loading immediately.
UPDATE: Adobe posted a patch for the Pawn Storm exploit Friday. Microsoft's Edge browser and Internet Explorer 11 on Windows 10, and IE 10 or 11 on Windows 8 or 8.1, will be automatically updated, as will Google Chrome on all platforms. Otherwise, users will have to manually update Flash by visiting the official download page (opens in new tab).