Adobe Systems has made a patch available for a zero-day vulnerability in Flash Player that came under attack in recent days.
The vulnerability, CVE-2015-0313, affects Adobe Flash Player 16.0.0.296 and earlier versions for Windows, Macintosh and Linux, as well as Flash Player 13.0.0.264 and earlier 13.x versions. The vulnerability can be exploited to cause a crash and possibly take control of a vulnerable systems.
So far, the vulnerability is known to have been used to target systems running Internet Explorer and Firefox on Windows 8.1 and below. The bug has been linked to malvertising attacks. In the days since news broke of the vulnerability, security researchers have determined that the zero-day was being leveraged by a lesser known exploit called ‘HanJuan’ – not the Angler kit as some had previously thought.
“Exploit kits are made of different parts that can be updated as time goes on,” Malwarebyes Senior Security Researcher Jerome Segura blogged recently. “That is one critical part as most software programs evolve and new vulnerabilities are discovered. Since there is a high demand to have the most effective exploitation tools, there is a lot of money that goes into making the exploit kits better.”
The malvertising attack detected by Trend Micro impacted visitors to dailymotion.com, who were directed to a series of sites that ultimately led to the exploit kit. Malvertisements are an old style of malware delivery, but they remain incredibly notorious because websites have no choice but to load ads and trust whatever content is served by third parties, blogged Trend Micro Threats Analyst Brooks Li. Users, on the other hand, have no choice but to accept ads as a part of their everyday browsing experience as well, Li added.
According to Adobe, users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.305 beginning today to fix CVE-2015-0313.
“Adobe expects to have an update available for manual download on February 5, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11,” according to Adobe.
This vulnerability is the third Flash Player zero-day discovered in the past month that came under attack. In January, Adobe patched CVE-2015-0310, which could be used to circumvent memory randomization mitigations on Windows, as well as CVE-2015-0311, which could be leveraged to cause a crash or hijack a vulnerable system.
