Adobe has released a critical security update for its Flash Player plug-in for Windows, Mac and Linux – the second in less than three weeks. The update addresses a zero-day exploit first uncovered by security firm FireEye a week ago that targeted visitors of at least three nonprofit websites.
The security firm said Peterson Institute for International Economics (PIIE.com), the American Research Center in Egypt (ARCE.org) and the Smith Richardson Foundation (SFR.org) were all compromised using remote code injection. Traffic to these sites was redirected to a server that contained a hidden iframe running the exploit.
Given the nature of the nonprofits, FireEye said they believe those responsible for the attacks have sufficient resources and are committed to infecting those visiting a particular type of website. Two of the sites in question focus on national security and public policy which led the firm to speculate that the attackers infected visitors for follow-on data theft.
In a security bulletin on the matter, Adobe said Flash Player 126.96.36.199 and earlier versions for Windows and Macintosh, version 188.8.131.526 and earlier versions for Linux, AIR 184.108.40.2060 and earlier versions for Android, AIR 220.127.116.110 SDK and earlier versions and AIR 18.104.22.1680 SDK & Compiler and earlier versions are all affected.
The new version of Flash Player for Windows and Mac is 22.214.171.124 while the newest for Linux is 126.96.36.1991. Naturally, you’ll want to download and apply the patch ASAP.