Adobe Blocks (Another!) 0-Day Vulnerability in Flash Player 22.214.171.1246
Posted on by Derek Erwin
Adobe has blocked another critical 0-day vulnerability in Adobe Flash Player 126.96.36.1996 and earlier versions for Mac and Windows with new security updates, updating Flash Player to version 188.8.131.525. These updates address a critical vulnerability, identified as CVE-2015-0313, reportedly used in malvertisement attacks.
Affected software versions include: Adobe Flash Player 184.108.40.2066 and earlier versions for Windows and Macintosh, and Adobe Flash Player 220.127.116.114 and earlier 13.x versions.
The new Adobe Flash Player comes only a week after two other 0-Day vulnerabilities in Flash were discovered to have been exploited by the Angler Exploit Kit. Those vulnerabilities were patched with Flash Player 18.104.22.1686, which is now an outdated, vulnerable version of Adobe software.
The 0-day vulnerability patched in todays update is described as follows:
CVE-2015-0313 : Unspecified vulnerability in Adobe Flash Player through 22.214.171.1244 and 14.x, 15.x, and 16.x through 126.96.36.1996 on Windows and OS X and through 188.8.131.520 on Linux allows remote attackers to execute arbitrary code via unknown vectors, as exploited in the wild in February 2015.
According to Adobe, “Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. […] [T]his vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.”
Users of Adobe Flash Player for Mac and Windows should update to Adobe Flash Player 184.108.40.2065 (14.9 MB) immediately. Adobe said the company is working with their distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11.
Intego VirusBarrier with up-to-date antivirus definitions detects this 0-day vulnerability as Flash/NuclearEK.