Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Adobe Patches Flash Player Vulnerability Exploited in the Wild

Adobe has released an out-of-band update to address a Flash Player vulnerability that has been exploited in the wild in attacks targeting older versions of the application.

Adobe has released an out-of-band update to address a Flash Player vulnerability that has been exploited in the wild in attacks targeting older versions of the application.

The exploit was spotted a few days ago by the French researcher Kafeine in the Angler exploit kit. Initially, Kafeine believed the cybercriminals might be using a combination of older Flash Player vulnerabilities (CVE-2014-9162 and CVE-2014-9163) that had been patched by Adobe in December.

However, after further investigations, it turned out that this was in fact a new flaw used to target Flash Player up to version 15.0.0.242. Kafeine didn’t update his initial blog post until today because he believes the exploit developers had not been aware that they were actually trying to leverage an unpatched vulnerability.

The vulnerability is a memory leak (CVE-2015-0310) that can be used to circumvent memory address randomization in Windows, Adobe said in an advisory published on Thursday.

The company advises users to update their installations to version 16.0.0.287 on Windows and Mac OS, and to version 11.2.202.438 on Linux. The Flash Player included in Chrome and Internet Explorer (Windows 8.x) will be updated automatically to the latest version.

Adobe credits Kafeine, Timo Hirvonen of F-Secure, and Yang Dingning for finding the vulnerability.

Advertisement. Scroll to continue reading.

“The zero-day sits squarely as a medium threat risk. Adobe Flash is widely used, but this vulnerability is currently only been seen exploited by the Angler exploit kit. Users that are saavy enough to avoid phishing emails and documents will typically not be exploited and as soon as the patch is widely deployed the threat will dissipate even more,” Karl Sigler, Threat Intelligence Manager at Trustwave, told SecurityWeek.

“We haven’t had a chance to download the patch and test it against the exploit yet since it just came out. I expect that it will likely fully patch the vulnerability, but we have yet to truly verify that,” Sigler added. “In general though there are other things that users can do to protect themselves from these types of attacks. Users should be wary of links sent in untrusted emails or documents. This is the primary method that criminals use to lure users to Exploit Kits like Angler that are using this Adobe attack. Businesses should use gateway technologies that block and detect malware in real-time.”

On Wednesday, Kafeine reported uncovering a different Flash Player zero-day being used in the Angler exploit kit. Adobe has not confirmed this second vulnerability, but the company is investigating.

The French researcher noted that both CVE-2015-0310 and the unconfirmed vulnerability are included in the same instance of the Angler exploit kit.

This instance of Angler has been used to distribute a version of the Bedep malware. The payload is an ad fraud component.

Kafeine says the unconfirmed exploit works against Firefox and most versions of Internet Explorer, including Internet Explorer 11 running on a fully updated Windows 8.1.

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

Mark Carter has been appointed Chief Information Security Officer at Socure.

Spektrum Labs has named Mark Cravotta Chief Operating Officer.

More People On The Move

Expert Insights

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.