Adobe Patches One Zero Day in Flash, Will Patch a Second Flaw Next Week

UPDATE–Adobe has released an emergency update for Flash to address a zero-day vulnerability that is being actively exploited. The company also is looking into reports of exploits for a separate Flash bug not fixed in the new release, which is being used in attacks by the Angler exploit kit.

The vulnerability that Adobe patched Thursday is under active attack, but Adobe officials said that this flaw is not the one that security researcher Kafeine said Wednesday was being used in the Angler attacks.

“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux.  These updates address a vulnerability that could be used to circumvent memory randomization mitigations on the Windows platform,” Adobe said in its advisory

“Adobe is aware of reports that an exploit for CVE-2015-0310 exists in the wild, which is being used in attacks against older versions of Flash Player. Additionally, we are investigating reports that a separate exploit for Flash Player 16.0.0.287 and earlier also exists in the wild.”

The patch for Flash comes just a day after Kafeine disclosed that some instances of the Angler exploit kit contained an exploit for a previously unknown vulnerability in the software. Adobe officials said Wednesday that they were investigating the reports. Kafeine initially saw Angler attacking the latest version of Flash in IE on Windows XP, Vista, 7 and 8, but said the exploit wasn’t being used against Chrome or Firefox.

On Thursday he said on Twitter that the group behind Angler had changed the code to exploit Firefox as well as fully patched IE 11 on Windows 8.1. The Flash zero-day exploit is being used to install a version of the Bedep malware, which is used in ad fraud campaigns.

“One last bad news : Windows 8.1 Internet Explorer 11 fully updated is now owned as well,” Kafeine said.

Adobe late on Thursday said that it plans to release a patch for the second zero-day flaw in Flash–the one being used by the Angler exploit kit–next week, but did not specify an exact release date. The vulnerability affects the latest versions of Flash.

“A critical vulnerability (CVE-2015-0311) exists in Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said in an advisory.

“We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 and below.”

Angler is among the more dangerous exploit kits being used right now and the group behind the kit often has exploits for Flash vulnerabilities within days of a new Adobe patch being published. Adobe officials did not say whether there is an update in the works for the zero-day vulnerability.

This article was updated on Jan. 22 to include the information about the patch timing for the second Flash flaw.

Suggested articles

Discussion

  • Michael Sutton on

    We’ve published our analysis of an exploit sample retrieved yesterday that is not addressed by today’s Adobe Flash patch. http://research.zscaler.com/2015/01/malvertising-leading-to-flash-zero-day.html

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.