Adobe Is Quick to Patch Latest Flash Zero-Day Threat

Days after the first public report of a new vulnerability in Adobe Flash, Adobe releases a patch.

Adobe Flash flaw

Adobe just can't seem to catch a break when it comes to the security of its Flash Player technology. On Oct. 14, Adobe issued an advisory warning about a new zero-day threat against its Flash Player, identified as CVE-2015-7645, which it has since patched.

Somewhat ironically, the first public report of attacks making use of CVE-2015-7645 emerged on Oct. 13, the same day that Adobe issued its regular monthly update for Flash Player, patching 13 different CVEs. Originally, the plan was to have a patch out this week for CVE-2015-7645, but Adobe was able to accelerate its process and delivered a patch on Oct. 16.

In its initial advisory for CVE-2015-7645, Adobe credited Trend Micro threat analyst Peter Pi with reporting the issue. Trend Micro publicly reported on Oct. 13 that it had discovered a new Adobe Flash zero-day vulnerability that was being used in the wild by the hacker group behind the Pawn Storm attack. The Pawn Storm attack has been ongoing for several months and has been known to make use of zero-day vulnerabilities. In July, Oracle patched the CVE-2015-2590 Java flaw that Pawn Storm was using in one of its attacks.

Trend Micro reported that in the new CVE-2015-7645 attack, Pawn Storm was going after foreign affairs ministries around the world with a spear phishing campaign.

The rapid turnaround for the CVE-2015-7645 zero-day patch is an improvement over Adobe's historical response times.

"We continue to have a typical zero-day patch cycle of approximately five to seven days, down from our 2009 zero-day patch cycle of 10 weeks," Adobe spokesperson Heather Edell told eWEEK. "This fix was fast, but we've had others that were patched in similar timeframes—a recent record was 36 hours. A couple of general primary factors that impact release time are partner and distribution coordination."

It turns out that, although Adobe initially credited Trend Micro with the discovery of CVE-2015-7645, security researcher Natalie Silvanovich of Google's Project Zero actually first reported the vulnerability to Adobe on Sept. 29.

"I reported the Flash 0-day (CVE-2015-7645) two weeks before it was found in the wild," Silvanovich wrote in a Twitter message.

In its advisory on the CVE-2015-7645 patch, Adobe credits Trend Micro's Pi with the detection and analysis of the exploit, and credits Google Project Zero's Silvanovich for vulnerability research.

In addition to the CVE-2015-7645 issue, Adobe is patching two additional issues reported by Silvanovich, identified as CVE-2015-7647 and CVE-2015-7648.

"These updates resolve type confusion vulnerabilities that could lead to code execution," Adobe states in its advisory.

Google's Project Zero has a 90-day disclosure deadline. After 90 days, if a vendor hasn't patched a reported flaw, Google will publicly disclose the vulnerability.

Google has been helping Adobe secure Flash Player, with Google Project Zero consistently being a top source of vulnerability disclosure to Adobe across multiple sets of Adobe Flash Player updates this year. Google Project is also providing proactive recommendations to Adobe to help secure Flash.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.