Adobe has released an out-of-band update to address a Flash Player vulnerability that has been exploited in the wild in attacks targeting older versions of the application.
The exploit was spotted a few days ago by the French researcher Kafeine in the Angler exploit kit. Initially, Kafeine believed the cybercriminals might be using a combination of older Flash Player vulnerabilities (CVE-2014-9162 and CVE-2014-9163) that had been patched by Adobe in December.
However, after further investigations, it turned out that this was in fact a new flaw used to target Flash Player up to version 15.0.0.242. Kafeine didn’t update his initial blog post until today because he believes the exploit developers had not been aware that they were actually trying to leverage an unpatched vulnerability.
The vulnerability is a memory leak (CVE-2015-0310) that can be used to circumvent memory address randomization in Windows, Adobe said in an advisory published on Thursday.
The company advises users to update their installations to version 16.0.0.287 on Windows and Mac OS, and to version 11.2.202.438 on Linux. The Flash Player included in Chrome and Internet Explorer (Windows 8.x) will be updated automatically to the latest version.
Adobe credits Kafeine, Timo Hirvonen of F-Secure, and Yang Dingning for finding the vulnerability.
“The zero-day sits squarely as a medium threat risk. Adobe Flash is widely used, but this vulnerability is currently only been seen exploited by the Angler exploit kit. Users that are saavy enough to avoid phishing emails and documents will typically not be exploited and as soon as the patch is widely deployed the threat will dissipate even more,” Karl Sigler, Threat Intelligence Manager at Trustwave, told SecurityWeek.
“We haven’t had a chance to download the patch and test it against the exploit yet since it just came out. I expect that it will likely fully patch the vulnerability, but we have yet to truly verify that,” Sigler added. “In general though there are other things that users can do to protect themselves from these types of attacks. Users should be wary of links sent in untrusted emails or documents. This is the primary method that criminals use to lure users to Exploit Kits like Angler that are using this Adobe attack. Businesses should use gateway technologies that block and detect malware in real-time.”
On Wednesday, Kafeine reported uncovering a different Flash Player zero-day being used in the Angler exploit kit. Adobe has not confirmed this second vulnerability, but the company is investigating.
The French researcher noted that both CVE-2015-0310 and the unconfirmed vulnerability are included in the same instance of the Angler exploit kit.
This instance of Angler has been used to distribute a version of the Bedep malware. The payload is an ad fraud component.
Kafeine says the unconfirmed exploit works against Firefox and most versions of Internet Explorer, including Internet Explorer 11 running on a fully updated Windows 8.1.

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
- Cisco to Acquire Splunk for $28 Billion
- Car Cybersecurity Study Shows Drop in Critical Vulnerabilities Over Past Decade
- Omron Patches PLC, Engineering Software Flaws Discovered During ICS Malware Analysis
- Intel Launches New Attestation Service as Part of Trust Authority Portfolio
- Atos Unify Vulnerabilities Could Allow Hackers to Backdoor Systems
Latest News
- In Other News: New Analysis of Snowden Files, Yubico Goes Public, Election Hacking
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- Air Canada Says Employee Information Accessed in Cyberattack
- BIND Updates Patch Two High-Severity DoS Vulnerabilities
- Faster Patching Pace Validates CISA’s KEV Catalog Initiative
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
- New ‘Sandman’ APT Group Hitting Telcos With Rare LuaJIT Malware
