Adobe has released a critical security update for its Flash Player plug-in for Windows, Mac and Linux – the second in less than three weeks. The update addresses a zero-day exploit first uncovered by security firm FireEye a week ago that targeted visitors of at least three nonprofit websites.
The security firm said Peterson Institute for International Economics (PIIE.com), the American Research Center in Egypt (ARCE.org) and the Smith Richardson Foundation (SFR.org) were all compromised using remote code injection. Traffic to these sites was redirected to a server that contained a hidden iframe running the exploit.
Given the nature of the nonprofits, FireEye said they believe those responsible for the attacks have sufficient resources and are committed to infecting those visiting a particular type of website. Two of the sites in question focus on national security and public policy which led the firm to speculate that the attackers infected visitors for follow-on data theft.
In a security bulletin on the matter, Adobe said Flash Player 184.108.40.206 and earlier versions for Windows and Macintosh, version 220.127.116.116 and earlier versions for Linux, AIR 18.104.22.1680 and earlier versions for Android, AIR 22.214.171.1240 SDK and earlier versions and AIR 126.96.36.1990 SDK & Compiler and earlier versions are all affected.
The new version of Flash Player for Windows and Mac is 188.8.131.52 while the newest for Linux is 184.108.40.2061. Naturally, you’ll want to download and apply the patch ASAP.