Security Experts:

Connect with us

Hi, what are you looking for?



Adobe Flash Player Zero-Day Exploited in Attack Campaign

Adobe Systems released an emergency update today to address a security vulnerability in Adobe Flash Player that is being exploited in a large-scale phishing campaign.

Adobe Systems released an emergency update today to address a security vulnerability in Adobe Flash Player that is being exploited in a large-scale phishing campaign.

The bug, CVE-2015-3113, is a heap buffer overflow issue. It was discovered by researchers at FireEye, who have linked it to attacks by the hacking crew APT3 that have targeted a number of industries, including the telecommunications, transportation and aerospace and defense sectors.

“Adobe is aware of reports that CVE-2015-3113 is being actively exploited in the wild via limited, targeted attacks,” Adobe stated in its advisory. “Systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets.”

According to FireEye, the attackers’ emails contained links to compromised web servers that served either benign content or a malicious Adobe Flash Player file exploiting the bug.

“Upon clicking the URLs provided in the phishing emails, targets were redirected to a compromised server hosting JavaScript profiling scripts,” FireEye researchers blogged. “Once a target host was profiled, victims downloaded a malicious Adobe Flash Player SWF file and an FLV file, detailed below. This ultimately resulted in a custom backdoor known as SHOTPUT, detected by FireEye as Backdoor.APT.CookieCutter, being delivered to the victim’s system.”

“The attack exploits an unpatched vulnerability in the way Adobe Flash Player parses Flash Video (FLV) files,” the researchers explained. “The exploit uses common vector corruption techniques to bypass Address Space Layout Randomization (ASLR), and uses Return-Oriented Programming (ROP) to bypass Data Execution Prevention (DEP). A neat trick to their ROP technique makes it simpler to exploit and will evade some ROP detection techniques. Shellcode is stored in the packed Adobe Flash Player exploit file alongside a key used for its decryption. The payload is xor encoded and hidden inside an image.”

APT3 has been linked to the use of browser-based zero-days in the past, and will typically dump credentials and move laterally across a compromised network to hit additional victims, the FireEye researchers added.

“Now that the exploit has been discovered, most security and operations teams are scrambling to do one of two things – race to deploy the newest patch before hackers can leverage the exploit for an attack,” said Clinton Karr, senior security strategist at Bromium. “Or test the patch to make sure it integrates with legacy systems. This latest zero-day and others before it could have been isolated in the first place. Only by isolating the threat are security and ops teams granted the grace period needed to test and deploy these critical patches.”

“The vulnerability lies in the video decoding part of Flash and the exploit shows some signs of sophistication by introducing new techniques in their use of ROP,” blogged Qualys CTO Wolfgang Kandek. “Patch as quickly as possible. 0-days once discovered this way tend to spread quickly to other cyber criminal groups. Adobe mentions that all known targets seem to use Windows 7 and Internet Explorer and Firefox on Windows XP, but we don’t recommend holding back on patching even if you are running other configurations (hopefully not XP, though). Users of IE10/11 and Google Chrome will get their patches through their browsers directly, everybody else will need to download directly from Adobe.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet