Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Adobe Patches Flash Player Zero-Day Vulnerability

Adobe Systems has made a patch available for a zero-day vulnerability in Flash Player that came under attack in recent days.

Adobe Systems has made a patch available for a zero-day vulnerability in Flash Player that came under attack in recent days.

The vulnerability, CVE-2015-0313, affects Adobe Flash Player and earlier versions for Windows, Macintosh and Linux, as well as Flash Player and earlier 13.x versions. The vulnerability can be exploited to cause a crash and possibly take control of a vulnerable systems.

So far, the vulnerability is known to have been used to target systems running Internet Explorer and Firefox on Windows 8.1 and below. The bug has been linked to malvertising attacks. In the days since news broke of the vulnerability, security researchers have determined that the zero-day was being leveraged by a lesser known exploit called ‘HanJuan’ – not the Angler kit as some had previously thought.

“Exploit kits are made of different parts that can be updated as time goes on,” Malwarebyes Senior Security Researcher Jerome Segura blogged recently. “That is one critical part as most software programs evolve and new vulnerabilities are discovered. Since there is a high demand to have the most effective exploitation tools, there is a lot of money that goes into making the exploit kits better.”

The malvertising attack detected by Trend Micro impacted visitors to, who were directed to a series of sites that ultimately led to the exploit kit. Malvertisements are an old style of malware delivery, but they remain incredibly notorious because websites have no choice but to load ads and trust whatever content is served by third parties, blogged Trend Micro Threats Analyst Brooks Li. Users, on the other hand, have no choice but to accept ads as a part of their everyday browsing experience as well, Li added.

According to Adobe, users who have enabled auto-update for the Flash Player desktop runtime will be receiving version beginning today to fix CVE-2015-0313.

“Adobe expects to have an update available for manual download on February 5, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11,” according to Adobe.

Advertisement. Scroll to continue reading.

This vulnerability is the third Flash Player zero-day discovered in the past month that came under attack. In January, Adobe patched CVE-2015-0310, which could be used to circumvent memory randomization mitigations on Windows, as well as CVE-2015-0311, which could be leveraged to cause a crash or hijack a vulnerable system.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.