For the third time in the last couple of weeks, Adobe is dealing with a zero day vulnerability in Flash. The company is working on a patch for another Flash bug that is being exploited in drive-by download attacks.
Adobe officials released an advisory Monday warning users that attackers are exploiting a new vulnerability in Flash and said that they’re planning to release a patch for the flaw sometime this week. The vulnerability affects Flash on Windows, OS X and Linux.
“A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player 22.214.171.1246 and earlier versions for Windows and Macintosh. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below,” the Adobe advisory says.
This is the third zero day that has hit Flash in the last two weeks. In late January, security researcher Kafeine discovered that the attackers behind the Angler exploit kit had added an exploit for a previously unknown Flash bug to the kit. The exploit was not in all instances of the kit, but it being used in attacks against several browsers. That report was followed quickly by news of a second Flash zero day that was circulating, as well. Adobe released patches for both vulnerabilities last month.
This newest vulnerability in Flash reportedly is being used by the Angler kit, as well. Adobe didn’t specify the day on which the patch would be released, but said it would be this week.