Adobe Patch for Flash 0-day
Last updated on: September 7, 2020
Last Friday Adobe published the patch for the critical 0-day vulnerability in their Flash Player. It had been disclosed early last week as being used in attacks on machines in the wild. Kudos to Adobe to react so quickly and provide the patch out-of-band.
The vulnerability is exploited by embedding a malicious Flash file into a Microsoft Word document that serves as the carrier. Targets receive an e-mail with the document attached, which can have a legitimate-sounding name such as: "Disentangling Industrial Policy and Competition Policy.doc", "Fukushima.doc", "Evaluation about Fukushima Nuclear Accident.doc" to trick the target into opening the document.
Once the target opens the document, the exploit runs, attacks the flaw in the Flash player, installs a remote control agent and then opens a second Word document with the real content. This all happens so fast that a normal user would not notice the attack.
We recommend that IT administrators use their patch management tools to deploy this new version of Flash Player (10.2.159.1) as soon as possible.
End-users can use our BrowserCheck tool at https://browsercheck.qualys.com to verify their installation. In the last two months the tool has seen about 250,000 visits and has diagnosed more than 160,000 browsers as vulnerable to attacks. Approximately ⅓ of the vulnerable browsers were identified as using outdated versions of Adobe Flash. The average "outdated age" of the installed Flash Players was 86 days and the half-life of the attack window is currently at 45 days, meaning that if attackers employ exploits that work against those that have been outdated for more than 45 days they will capture half of the surveyed machine base.
We recommend to classify Flash as one of the programs that should be grouped with other desktop class technologies and put on an aggressive upgrade schedule, ideally within a week of the release date of patches.