Adobe's security engineers have pulled out all the stops to release a patch for a shocking vulnerability in Flash much earlier than expected.
On Tuesday Trend Micro published details of a bug in all versions of the Flash player for Mac and PCs, and some Linux builds. The flaw is being actively exploited in the wild, Trend said, to hijack computers used by US and NATO officials.
Adobe responded the next day, rating the Flash flaw as critical, and promising a fix sometime next week. However, on Friday the patch was released and, once applied, people can use the plugin safely – until the next flaw is found.
The patch covers all versions of Flash, including the standalone player for Windows, Mac, and Linux, as well as plugins for Chrome, Edge, and Internet Explorer. Mozilla Firefox users may feel a bit miffed at getting left out, particularly as the browser has shown Adobe more love than most.
Adobe thanked Peter Pi at Trend, and Natalie Silvanovich of Google's Project Zero.
I reported the Flash 0-day (CVE-2015-7645) two weeks before it was found in the wild https://t.co/nYeAWRG5jO— Natalie Silvanovich (@natashenka) October 16, 2015
Google, specifically its Project Zero team, has giving Adobe a helping hand by building anti-hacker defenses into Flash. One such defense tries to block Flash files from abusing
Vector objects to meddle with the plugin's memory and execute malicious code.
"Adobe introduced several mitigation techniques for Flash exploits earlier this year, co-working with Google Project Zero. These mitigation techniques focused on reducing Vector.<*> exploits, because a corrupted Vector.<*> was frequently used to achieve the ability to read and write arbitrary parts of memory," Trend's Pi explained in a blog post.
"Once these mitigations were put in place, the exploits in the wild decreased, but they did not completely disappear. This latest vulnerability is the first zero-day exploit discovered in the wild after these mitigations were added."
In other words, the miscreants exploiting the Flash bug were able to sidestep Google's added defenses, and infect machines with malware via the plugin. Nice try, Google, but not quite good enough this time. ®