Adobe Systems has released updates to its Flash Player software to correct a 0-day vulnerability (CVE-2015-0310) that is being exploited in the wild by an attack tool called the Angler Exploit Kit. These updates are available for Mac, Windows and Linux, and address a security hole that “could be used to circumvent memory randomization mitigations on the Windows platform,” according to Adobe’s security bulletin (APSB15-02).
Affected software versions: Adobe Flash Player 220.127.116.117 and earlier versions, Adobe Flash Player 18.104.22.1680 and earlier 13.x versions, and Adobe Flash Player 22.214.171.1249 and earlier versions for Linux.
On Adobe’s blog, the company offered the following warning to Flash Player users:
Adobe is aware of reports that an exploit for CVE-2015-0310 exists in the wild, which is being used in attacks against older versions of Flash Player. Additionally, we are investigating reports that a separate exploit for Flash Player 126.96.36.1997 and earlier also exists in the wild.
Adobe described the vulnerability patched in this update as follows:
These updates resolve a memory leak that could be used to circumvent memory address randomization on the Windows platform (CVE-2015-0310).
French security researcher, Kafeine, spotted the new variant of the Angler EK, which is exploiting three different vulnerabilities in Flash Player, including the 0-day flaw affecting Adobe Flash version 188.8.131.527. Adobe is investigating these reports, and we can therefore expect additional security updates to follow. Consequently, as Kafeine said, “Disabling Flash Player for some days might be a good idea.”
Exploit kits such as Angler EK are based on a “drive-by download attack” delivery technique, and installation starts silently in the background simply by visiting a website.
In the meantime, users of Adobe Flash Player desktop runtime for Mac and Windows should update to Adobe Flash Player 184.108.40.2067 (14.9 MB)—just be aware that Adobe is still investigating reports that a separate exploit for Flash Player 220.127.116.117 still exists in the wild. It’s therefore a good idea to have up to date Mac anti-virus software to detect known malware variants. Intego VirusBarrier recognizes this threat as Flash/AnglerEK.
Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 18.104.22.1682. Users of Adobe Flash Player for Linux should update to Adobe Flash Player 22.214.171.1248. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to version 126.96.36.1997.
January 23 Update: Adobe published a security advisory (APSA15-01) on the remaining exploit for Adobe Flash Player 188.8.131.527:
A critical vulnerability (CVE-2015-0311) exists in Adobe Flash Player 184.108.40.2067 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 and below.
Adobe said they expect to have a patch available for CVE-2015-0311 during the week of January 26. Adobe software affected by the vulnerability that is being actively exploited in the wild includes the following Flash Player versions: Adobe Flash Player 220.127.116.117 and earlier versions for Mac and Windows, Adobe Flash Player 18.104.22.1682 and earlier 13.x versions, and Adobe Flash Player 22.214.171.1248 and earlier versions for Linux.
January 24 Update: Adobe has released Flash Player version 126.96.36.1996 with a fix for the second 0-day vulnerability.