If you love using Flash Player, here is some exciting news for you. On October 14th, Adobe announced that it was issuing an advisory warning about a brand new zero-day threat against its software, Flash Player. This advisory warning was identified as CVE-2015-7645. The new software update has since been patched.
As nature would have it, on Oct 13th when Adobe announced its regular monthly updates for Flash Player, patching 13 and other different CVEs, the first public report of cyber attacks while making use of CVE-2015-7645 was made. As per the original plan, a patch for CVE-2015-7645 was supposed to come out that very week, however, Adobe managed to hasten the release of the patch to Oct 16th.
Peter Pi a threat analyst at Trend Micro who was the one who reported the issue was recognized by Adobe in its first advisory release of CVE-2015-7645. He made a public announcement on Oct 13th on the fact that he had just found a new Adobe Flash Player zero-day vulnerability which was being used by a cybercriminal group which was behind the Pawn Storm attack.
The Pawn Storm attacks had been going on for several months prior and it was well identified as an opportunist user of zero-day vulnerabilities. Oracle had patched CVE-2015-2590 Java problem in July which Pawn Storm had been using in its attacks. Trend Micro discovered that Pawn Storm was targeting foreign affairs ministries from all over the globe with a spear phishing campaign with this patch.
Adobe’s response time for the CVE-2015-7645 zero-day patch was definitely a great improvement.
According to Adobe spokesperson Heather Edell when he spoke to eWEEK, the company continues to have typical zero-day patches every other five to seven days. This is a great improvement from a zero-day cycle of ten days in 2009. Much as this particular fix was fast, he said that there was one done in a record 36 hours. There are also some basic factors that influence and impact the release time such as partner and distribution corroboration.
Natalie Silvanovich of Google’s Project Zero disputes that Trend Micro was the one who discovered the CVE-2015-7645. According to Silvanovich through a Twitter message, she reported the Flash-0 two weeks (Sept 29th) two weeks before Trend found it out there in the wild.
Adobe in its advisory credits Silvanovich for doing vulnerability research. On the other hand, Adobe recognizes Trend Micro’s Pi for the detection and the analysis of the possible exploits of the CVE-215-7645. Moreover, Adobe is working on two patches which were reported by Silvanovich and which are identified as CVE-2015-7647 and CVE-2015-7648. As Adobe states in the advisory, these additional updates are meant to resolve any confusion that might arise regarding vulnerabilities which could then lead to code execution.
According to Google’s Project Zero regulations, a disclosure deadline of 90 days is normally allowed. However, if a vendor hasn’t prepared a patch for a reported flaw, Google will go ahead and disclose this vulnerability.