Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Adobe Patches Flash Player Vulnerability Exploited in the Wild

Adobe has released an out-of-band update to address a Flash Player vulnerability that has been exploited in the wild in attacks targeting older versions of the application.

Adobe has released an out-of-band update to address a Flash Player vulnerability that has been exploited in the wild in attacks targeting older versions of the application.

The exploit was spotted a few days ago by the French researcher Kafeine in the Angler exploit kit. Initially, Kafeine believed the cybercriminals might be using a combination of older Flash Player vulnerabilities (CVE-2014-9162 and CVE-2014-9163) that had been patched by Adobe in December.

However, after further investigations, it turned out that this was in fact a new flaw used to target Flash Player up to version 15.0.0.242. Kafeine didn’t update his initial blog post until today because he believes the exploit developers had not been aware that they were actually trying to leverage an unpatched vulnerability.

The vulnerability is a memory leak (CVE-2015-0310) that can be used to circumvent memory address randomization in Windows, Adobe said in an advisory published on Thursday.

The company advises users to update their installations to version 16.0.0.287 on Windows and Mac OS, and to version 11.2.202.438 on Linux. The Flash Player included in Chrome and Internet Explorer (Windows 8.x) will be updated automatically to the latest version.

Adobe credits Kafeine, Timo Hirvonen of F-Secure, and Yang Dingning for finding the vulnerability.

“The zero-day sits squarely as a medium threat risk. Adobe Flash is widely used, but this vulnerability is currently only been seen exploited by the Angler exploit kit. Users that are saavy enough to avoid phishing emails and documents will typically not be exploited and as soon as the patch is widely deployed the threat will dissipate even more,” Karl Sigler, Threat Intelligence Manager at Trustwave, told SecurityWeek.

“We haven’t had a chance to download the patch and test it against the exploit yet since it just came out. I expect that it will likely fully patch the vulnerability, but we have yet to truly verify that,” Sigler added. “In general though there are other things that users can do to protect themselves from these types of attacks. Users should be wary of links sent in untrusted emails or documents. This is the primary method that criminals use to lure users to Exploit Kits like Angler that are using this Adobe attack. Businesses should use gateway technologies that block and detect malware in real-time.”

Advertisement. Scroll to continue reading.

On Wednesday, Kafeine reported uncovering a different Flash Player zero-day being used in the Angler exploit kit. Adobe has not confirmed this second vulnerability, but the company is investigating.

The French researcher noted that both CVE-2015-0310 and the unconfirmed vulnerability are included in the same instance of the Angler exploit kit.

This instance of Angler has been used to distribute a version of the Bedep malware. The payload is an ad fraud component.

Kafeine says the unconfirmed exploit works against Firefox and most versions of Internet Explorer, including Internet Explorer 11 running on a fully updated Windows 8.1.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.