Adobe has released an out-of-band update to address a Flash Player vulnerability that has been exploited in the wild in attacks targeting older versions of the application.
The exploit was spotted a few days ago by the French researcher Kafeine in the Angler exploit kit. Initially, Kafeine believed the cybercriminals might be using a combination of older Flash Player vulnerabilities (CVE-2014-9162 and CVE-2014-9163) that had been patched by Adobe in December.
However, after further investigations, it turned out that this was in fact a new flaw used to target Flash Player up to version 18.104.22.168. Kafeine didn’t update his initial blog post until today because he believes the exploit developers had not been aware that they were actually trying to leverage an unpatched vulnerability.
The vulnerability is a memory leak (CVE-2015-0310) that can be used to circumvent memory address randomization in Windows, Adobe said in an advisory published on Thursday.
The company advises users to update their installations to version 22.214.171.1247 on Windows and Mac OS, and to version 126.96.36.1998 on Linux. The Flash Player included in Chrome and Internet Explorer (Windows 8.x) will be updated automatically to the latest version.
Adobe credits Kafeine, Timo Hirvonen of F-Secure, and Yang Dingning for finding the vulnerability.
“The zero-day sits squarely as a medium threat risk. Adobe Flash is widely used, but this vulnerability is currently only been seen exploited by the Angler exploit kit. Users that are saavy enough to avoid phishing emails and documents will typically not be exploited and as soon as the patch is widely deployed the threat will dissipate even more,” Karl Sigler, Threat Intelligence Manager at Trustwave, told SecurityWeek.
“We haven’t had a chance to download the patch and test it against the exploit yet since it just came out. I expect that it will likely fully patch the vulnerability, but we have yet to truly verify that,” Sigler added. “In general though there are other things that users can do to protect themselves from these types of attacks. Users should be wary of links sent in untrusted emails or documents. This is the primary method that criminals use to lure users to Exploit Kits like Angler that are using this Adobe attack. Businesses should use gateway technologies that block and detect malware in real-time.”
On Wednesday, Kafeine reported uncovering a different Flash Player zero-day being used in the Angler exploit kit. Adobe has not confirmed this second vulnerability, but the company is investigating.
The French researcher noted that both CVE-2015-0310 and the unconfirmed vulnerability are included in the same instance of the Angler exploit kit.
This instance of Angler has been used to distribute a version of the Bedep malware. The payload is an ad fraud component.
Kafeine says the unconfirmed exploit works against Firefox and most versions of Internet Explorer, including Internet Explorer 11 running on a fully updated Windows 8.1.