Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Adobe Patches Flash Player Zero-Day Vulnerability

Adobe Systems has made a patch available for a zero-day vulnerability in Flash Player that came under attack in recent days.

Adobe Systems has made a patch available for a zero-day vulnerability in Flash Player that came under attack in recent days.

The vulnerability, CVE-2015-0313, affects Adobe Flash Player 16.0.0.296 and earlier versions for Windows, Macintosh and Linux, as well as Flash Player 13.0.0.264 and earlier 13.x versions. The vulnerability can be exploited to cause a crash and possibly take control of a vulnerable systems.

So far, the vulnerability is known to have been used to target systems running Internet Explorer and Firefox on Windows 8.1 and below. The bug has been linked to malvertising attacks. In the days since news broke of the vulnerability, security researchers have determined that the zero-day was being leveraged by a lesser known exploit called ‘HanJuan’ – not the Angler kit as some had previously thought.

“Exploit kits are made of different parts that can be updated as time goes on,” Malwarebyes Senior Security Researcher Jerome Segura blogged recently. “That is one critical part as most software programs evolve and new vulnerabilities are discovered. Since there is a high demand to have the most effective exploitation tools, there is a lot of money that goes into making the exploit kits better.”

The malvertising attack detected by Trend Micro impacted visitors to dailymotion.com, who were directed to a series of sites that ultimately led to the exploit kit. Malvertisements are an old style of malware delivery, but they remain incredibly notorious because websites have no choice but to load ads and trust whatever content is served by third parties, blogged Trend Micro Threats Analyst Brooks Li. Users, on the other hand, have no choice but to accept ads as a part of their everyday browsing experience as well, Li added.

According to Adobe, users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.305 beginning today to fix CVE-2015-0313.

“Adobe expects to have an update available for manual download on February 5, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11,” according to Adobe.

This vulnerability is the third Flash Player zero-day discovered in the past month that came under attack. In January, Adobe patched CVE-2015-0310, which could be used to circumvent memory randomization mitigations on Windows, as well as CVE-2015-0311, which could be leveraged to cause a crash or hijack a vulnerable system.

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jared Bartel has been named CISO at Idaho State University.

Automated phishing protection and scam prevention company Bolster has appointed Rod Schultz as CEO.

Bugcrowd has appointed Trey Ford as CISO for the Americas.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.