The dangerous Angler exploit kit has a new piece of ammunition to use in its attacks: a fresh Adobe Flash zero-day vulnerability. The kit is exploiting the previously unknown vulnerability in several versions of Internet Explorer running on Windows 7 and Windows 8.
French security researcher Kafeine has spotted a version of the Angler kit that’s firing exploits for several vulnerabilities in Flash, including two known bugs. But the big problem is that the kit also has exploit code for what appears to be a zero-day in the latest version of Flash, version 126.96.36.1997. Kafeine said that he first spotted the exploit for the zero-day in Flash on Wednesday and that it is being used to install a piece of malware known as Bedep.
Older versions of Angler have been seen installing Bedep in the past. The malware is used for ad fraud operations, and has been used by Angler in what Kafeine calls “fileless” infections of targeted machines.
The researcher said that not all instances of Angler are using the new Flash zero-day exploit, nor is it being used against all of the popular browsers. In his tests, Kafeine found that IE 10 on Windows 8, IE 8 on Windows 7 and IE 6-9 on Windows XP all are being exploited. Chrome is not being targeted and fully patched Windows 8.1 is not exploitable, he said.
Kafeine has not published the MD5 of the new exploit yet, but he said users may want to take precautions until Adobe has a fix available for the vulnerability.
“Disabling Flash player for some days might be a good idea,” he said.
An Adobe spokesman said that the company is aware of the report and is investigating it.
The crew behind Angler seems to have a special affinity for Flash exploits. The kit often has exploits for freshly patched Flash vulnerabilities within days of Adobe publishing fixes.