Adobe has pushed out another emergency update for Flash Player — the second in a month.
The update is meant to thwart a new zero-day exploit attacking Flash Player on Windows, Mac OS X, Linux and Android machines. Here's why it's important and what you need to do to protect yourself.
"These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system," Adobe wrote in a security bulletin today (Feb. 20).
Security firm FireEye wrote in its own blog posting today that it had detected the zero-day exploit being used to attack visitors to specific websites as part of a "watering hole" campaign.
"Visitors to at least three nonprofit institutions — two of which focus on matters of national security and public policy — were redirected to an exploit server hosting the zero-day exploit," FireEye's researchers wrote. "We're dubbing this attack 'Operation GreedyWonk.'"
Zero-day exploits are attacks that leverage previously unknown software flaws — and against which there is little defense.
FireEye said the websites belonged to the Peter G. Peterson Institute for International Economics, the American Research Center in Egypt and the Smith Richardson Foundation. There's no indication those organizations knew their sites had been corrupted by hidden malware.
Some are more susceptible than others
All versions of Adobe Flash Player released before today's patch are vulnerable to the zero-day exploit, but the attackers are combining the Flash Player exploit with further exploits to fully take over machines.
Fortunately, only certain computers are vulnerable to those further exploits: all Windows XP machines, and Windows 7 machines that have Java 1.6 or Microsoft Office 2007 or 2010 installed.
"Users can mitigate the threat by upgrading from Windows XP and updating Java and Office," wrote the FireEye researchers. "If you have Java 1.6, update Java to the latest 1.7 version. If you are using an out-of-date Microsoft Office 2007 or 2010, update Microsoft Office to the latest version."
How to patch your build of Adobe Flash Player
Whether or not their machines fit into those categories, all Flash Player users should install the patch. Users of Internet Explorer 10 and 11 on Windows 7 and 8 will be automatically updated, as will users of Google Chrome on Windows, Mac OS X and Linux.
Users of other browsers, including Android users who have Flash Player installed as a stand-alone app, should download the updates from http://get.adobe.com/flashplayer/ . Some recent installations of Flash Player will prompt users to download the update.
The latest versions of Android support Flash Player only as part of the Adobe AIR framework; those users should update their Adobe AIR builds from Google Play.
Gather 'round the watering hole
Similar watering hole attacks — so deemed because they target particular interest groups whose members repeatedly visit certain websites — have previously been mounted from the websites of the Council on Foreign Relations and other influential American think tanks.
A very successful watering hole attack in early 2013 targeted mobile app developers and infected the internal networks of Apple, Facebook, Microsoft and Twitter, among other companies.
In each case, the operators of the websites were not aware that their sites had been hijacked by malicious hackers. The attackers are usually presumed to be Chinese state-sponsored hackers, but that's impossible to prove.