Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Adobe Patches Flash Player Vulnerability Exploited in the Wild

Adobe has released an out-of-band update to address a Flash Player vulnerability that has been exploited in the wild in attacks targeting older versions of the application.

Adobe has released an out-of-band update to address a Flash Player vulnerability that has been exploited in the wild in attacks targeting older versions of the application.

The exploit was spotted a few days ago by the French researcher Kafeine in the Angler exploit kit. Initially, Kafeine believed the cybercriminals might be using a combination of older Flash Player vulnerabilities (CVE-2014-9162 and CVE-2014-9163) that had been patched by Adobe in December.

However, after further investigations, it turned out that this was in fact a new flaw used to target Flash Player up to version 15.0.0.242. Kafeine didn’t update his initial blog post until today because he believes the exploit developers had not been aware that they were actually trying to leverage an unpatched vulnerability.

The vulnerability is a memory leak (CVE-2015-0310) that can be used to circumvent memory address randomization in Windows, Adobe said in an advisory published on Thursday.

The company advises users to update their installations to version 16.0.0.287 on Windows and Mac OS, and to version 11.2.202.438 on Linux. The Flash Player included in Chrome and Internet Explorer (Windows 8.x) will be updated automatically to the latest version.

Adobe credits Kafeine, Timo Hirvonen of F-Secure, and Yang Dingning for finding the vulnerability.

“The zero-day sits squarely as a medium threat risk. Adobe Flash is widely used, but this vulnerability is currently only been seen exploited by the Angler exploit kit. Users that are saavy enough to avoid phishing emails and documents will typically not be exploited and as soon as the patch is widely deployed the threat will dissipate even more,” Karl Sigler, Threat Intelligence Manager at Trustwave, told SecurityWeek.

“We haven’t had a chance to download the patch and test it against the exploit yet since it just came out. I expect that it will likely fully patch the vulnerability, but we have yet to truly verify that,” Sigler added. “In general though there are other things that users can do to protect themselves from these types of attacks. Users should be wary of links sent in untrusted emails or documents. This is the primary method that criminals use to lure users to Exploit Kits like Angler that are using this Adobe attack. Businesses should use gateway technologies that block and detect malware in real-time.”

Advertisement. Scroll to continue reading.

On Wednesday, Kafeine reported uncovering a different Flash Player zero-day being used in the Angler exploit kit. Adobe has not confirmed this second vulnerability, but the company is investigating.

The French researcher noted that both CVE-2015-0310 and the unconfirmed vulnerability are included in the same instance of the Angler exploit kit.

This instance of Angler has been used to distribute a version of the Bedep malware. The payload is an ad fraud component.

Kafeine says the unconfirmed exploit works against Firefox and most versions of Internet Explorer, including Internet Explorer 11 running on a fully updated Windows 8.1.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.