Security News

Flash Player 0-Day Vulnerability Jolts Rushed Update

Posted on January 22nd, 2015 by

adobe-patched-headerAdobe Systems has released updates to its Flash Player software to correct a 0-day vulnerability (CVE-2015-0310) that is being exploited in the wild by an attack tool called the Angler Exploit Kit. These updates are available for Mac, Windows and Linux, and address a security hole that “could be used to circumvent memory randomization mitigations on the Windows platform,” according to Adobe’s security bulletin (APSB15-02).

Affected software versions: Adobe Flash Player 16.0.0.257 and earlier versions, Adobe Flash Player 13.0.0.260 and earlier 13.x versions, and Adobe Flash Player 11.2.202.429 and earlier versions for Linux.

On Adobe's blog, the company offered the following warning to Flash Player users:

Adobe is aware of reports that an exploit for CVE-2015-0310 exists in the wild, which is being used in attacks against older versions of Flash Player. Additionally, we are investigating reports that a separate exploit for Flash Player 16.0.0.287 and earlier also exists in the wild.

Adobe described the vulnerability patched in this update as follows:

These updates resolve a memory leak that could be used to circumvent memory address randomization on the Windows platform (CVE-2015-0310).

French security researcher, Kafeine, spotted the new variant of the Angler EK, which is exploiting three different vulnerabilities in Flash Player, including the 0-day flaw affecting Adobe Flash version 16.0.0.257. Adobe is investigating these reports, and we can therefore expect additional security updates to follow. Consequently, as Kafeine said, "Disabling Flash Player for some days might be a good idea."

MORE: How to Tell if Adobe Flash Player Update is Valid

Exploit kits such as Angler EK are based on a "drive-by download attack" delivery technique, and installation starts silently in the background simply by visiting a website.

In the meantime, users of Adobe Flash Player desktop runtime for Mac and Windows should update to Adobe Flash Player 16.0.0.287 (14.9 MB)—just be aware that Adobe is still investigating reports that a separate exploit for Flash Player 16.0.0.287 still exists in the wild. It's therefore a good idea to have up to date Mac anti-virus software to detect known malware variants. Intego VirusBarrier recognizes this threat as Flash/AnglerEK.

Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.262. Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.438. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to version 16.0.0.287.


January 23 Update: Adobe published a security advisory (APSA15-01) on the remaining exploit for Adobe Flash Player 16.0.0.287:

A critical vulnerability (CVE-2015-0311) exists in Adobe Flash Player 16.0.0.287 and earlier versions for Windows, Macintosh and Linux.  Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.  We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 and below.

Adobe said they expect to have a patch available for CVE-2015-0311 during the week of January 26. Adobe software affected by the vulnerability that is being actively exploited in the wild includes the following Flash Player versions: Adobe Flash Player 16.0.0.287 and earlier versions for Mac and Windows, Adobe Flash Player 13.0.0.262 and earlier 13.x versions, and Adobe Flash Player 11.2.202.438 and earlier versions for Linux.

January 24 Update: Adobe has released Flash Player version 16.0.0.296 with a fix for the second 0-day vulnerability.