Arguably the most useless and obnoxious piece of near universally installed software, Adobe Flash has received another kick that ought finally to send it to its grave. A cyber-espionage operation whose attack patterns suggest ties to the Russian government has been discovered using one of Flash’s endlessly emerging vulnerabilities.
The operation, running at least since 2007, is known to security researchers as Pawn Storm. It has targeted US, North Atlantic Treaty Organisation and Ukrainian governments, militaries and media, as well as the political opponents of Russian President Vladimir Putin. It uses a malicious iOS application to steal data from iPhones and employs “spear-phishing” to get information from targeted computers, typically sending purported links to articles on various geopolitical issues to entice people to open websites that install malicious software.
On Tuesday, analysts from Trend Micro published a blog post saying Pawn Storm now uses a “zero day” — previously undiscovered — Adobe Flash vulnerability, and it has succeeded against at least one country’s foreign ministry. The cyber security company and Adobe say they’re working together to provide a fix, but instead Adobe should finally retire Flash for good.
There were loud calls for this last July, after security firm Hacking Team, controversial for straddling the line between hacking and protecting people against it, suffered an embarrassing breach. The firm’s cache of documents, released by the hackers for all to peruse, contained the description of a wide-open security hole in Flash. This caused Mozilla, the maker of the Firefox browser, to disable the Flash plug-in, and Facebook’s chief security officer, Alex Stamos, to call on Adobe to set an “end-of-life date” for the product. Yet Flash is still alive and kicking.
