Adobe has released security updates that address three critical vulnerabilities in Flash Player, one of which is a zero-day bug that Trend Micro recently observed being used as part of a long-running espionage campaign.
According to a security bulletin, the security updates fix three type confusion bugs – CVE-2015-7645, CVE-2015-7647, and CVE-2015-7648 – that can lead to code execution and potentially enable an attacker to take control of a vulnerable system.
The update is considered high priority on Windows and Macintosh, so users on those platforms should install the newest version – 18.104.22.168, or 22.214.171.124 for Adobe Flash Player Extended Support Release – as soon as possible. The Linux update, 126.96.36.1990, is considered a lower priority.
Adobe said it is aware that one of the vulnerabilities – CVE-2015-7645, the bug reported by Trend Micro – is being used in “limited, targeted attacks.”
In a Tuesday post, Trend Micro said that the threat actors behind Operation Pawn Storm are targeting numerous foreign affairs ministries worldwide with spear phishing emails that contain links to the exploit. The emails contained subject lines designed to pique the interest of workers, such as “Suicide car bomb targets NATO troop convoy.”
The threat was confirmed in an official advisory published on Wednesday. Adobe said at the time that a fix was expected to be made available during the week of Oct. 19, but the software company was able to push out the updates earlier.