Adobe has acknowledged a serious vulnerability in its Flash player plugin and has issued a fix to address the issue within hours of a report published by security software firm, FireEye.
According to FireEye, the zero-day exploit was used by attackers to target visitors of the websites of three nonprofit organizations; Peterson Institute for International Economics, American Research Center and Smith Richardson Foundation. The visitors to these websites were redirected to an exploit server using code-injection.
FireEye has identified the attack as codename GreedyWonk and believes that the perpetrators who allegedly speak Chinese, "have sufficient resources (such as access to zero-day exploits) and a determination to infect visitors to foreign and public policy websites." The attackers behind GreedyWonk are likely seeking sensitive government data similar to a recent report, as two out of the three websites deal with matters of national security and public policy.
The exploit is reported to affect users with Windows XP, Windows 7 running Java 1.6 and those running Microsoft Office 2007 or 2010 without the latest updates. Adobe has been quick to update Flash player with a fix for the reported exploit and has urged users to update the plugins in case they have disabled the automatic updates.