Adobe has released a critical security update for its Flash Player plug-in for Windows, Mac and Linux – the second in less than three weeks. The update addresses a zero-day exploit first uncovered by security firm FireEye a week ago that targeted visitors of at least three nonprofit websites.
The security firm said Peterson Institute for International Economics (PIIE.com), the American Research Center in Egypt (ARCE.org) and the Smith Richardson Foundation (SFR.org) were all compromised using remote code injection. Traffic to these sites was redirected to a server that contained a hidden iframe running the exploit.
Given the nature of the nonprofits, FireEye said they believe those responsible for the attacks have sufficient resources and are committed to infecting those visiting a particular type of website. Two of the sites in question focus on national security and public policy which led the firm to speculate that the attackers infected visitors for follow-on data theft.
In a security bulletin on the matter, Adobe said Flash Player 18.104.22.168 and earlier versions for Windows and Macintosh, version 22.214.171.1246 and earlier versions for Linux, AIR 126.96.36.1990 and earlier versions for Android, AIR 188.8.131.520 SDK and earlier versions and AIR 184.108.40.2060 SDK & Compiler and earlier versions are all affected.
The new version of Flash Player for Windows and Mac is 220.127.116.11 while the newest for Linux is 18.104.22.1681. Naturally, you’ll want to download and apply the patch ASAP.