Adobe issued an emergency patch today (Apr. 28) for a critical security flaw in Adobe Flash Player currently being used in two different zero-day exploits targeting Syrian dissidents. Windows, Mac and Linux are affected, and users should make sure browsers and any other program that uses Flash receives the Adobe updates.
The flaw, catalogued as CVE-2014-0515, lets attackers infect Web browsers through drive-by downloads from corrupted websites, and from there install and use more malware without a computer user's knowledge.
Moscow-based security firm Kaspersky Lab discovered the zero-day exploits (researchers had zero days to prepare fixes before attacks began) earlier this month, and received confirmation from Adobe that the flaw underlying both was previously unknown.
Both exploits are located on the Syrian Ministry of Justice's website, on a page that serves as a forum for citizens to voice complaints. The location indicates this may be a watering-hole attack, which is when attackers place malware on a webpage they expect their target to visit— much as predators expect prey to gather at a watering hole.
"We believe the attack was designed to target Syrian dissidents complaining about the government," wrote Kaspersky researcher Vyacheslav Zakorzhevsky on Kaspersky's SecureList, blog.
One of the exploits also looks for a specific Cisco web-conferencing extension, suggesting that this exploit was aimed at a very specific subset of visitors to the Ministry of Justice website.
"We are sure that all these tricks were used in order to carry out malicious activity against a very specific group of users without attracting the attention of security solutions," Zakorzhevsky wrote. "We believe that the Cisco add-in mentioned above may be used to download/implement the payload as well as to spy directly on the infected computer."
If the Syrian government, or an associated group, is behind the attacks, the next question is: How did it find and exploit this previously unknown flaw? Zero-day vulnerabilities and exploits are valuable digital weapons and are bought and sold in malware gray markets. The National Security Agency and foreign intelligence agencies are assumed to be the biggest buyers of zero-days, purchasing them either to use in offensive operations or to prevent criminals and rival intelligence agencies from using them.
Kaspersky detected the Adobe Flash exploit when heuristic analysis (a scan that detects malware-associated behavior rather than individual malware code signatures) flagged it on April 9. Kaspersky has only seen successful attacks on Mozilla Firefox for Windows, but other browsers should be assumed to also be vulnerable.
Adobe acted quickly to patch the flaw. The company's security bulletin says some browsers will automatically install the update, such as Google Chrome for Mac, Windows and Linux and Internet Explorer 10 and 11 for Windows 8 and 8.1. Users of other browsers should download the updates manually from Adobe's website.
This Adobe Flash zero-day vulnerability is unrelated to a recently disclosed Internet Explorer zero-day flaw that has yet to be patched.