Menu
Adobe fixes just one of two actively exploited zero-day vulnerabilities in Flash Player

Adobe fixes just one of two actively exploited zero-day vulnerabilities in Flash Player

Internet Explorer and Firefox users with Flash Player enabled remain at risk

Emergency updates for Flash Player released Thursday fix a vulnerability that is actively exploited by attackers, but leave a separate one unpatched.

Adobe Systems released Flash Player 16.0.0.287 for Windows and Mac, Flash Player 11.2.202.438 for Linux and Flash Player Extended Support Release 13.0.0.262. These updates address a vulnerability identified in the Common Vulnerabilities and Exposures database as CVE-2015-0310.

Adobe is aware of an exploit for this vulnerability "in the wild" being used to attack older versions of Flash Player, the company said in a security advisory.

On Wednesday, a French malware researcher who uses the online alias Kafeine reported on his blog that cybercriminals using the Angler Exploit Kit are targeting an unpatched vulnerability in Flash Player. That vulnerability, it seems, is not CVE-2015-0310 and remains unpatched.

Kafeine has since updated his blog post to reflect that the Angler exploit seen yesterday also works against the newly released Flash Player 16.0.0.287 for Windows and Mac. Moreover, the attackers have since corrected an error in their implementation and are now also targeting Firefox users who have Flash Player installed in addition to Internet Explorer users.

"Any version of Internet Explorer or Firefox with any version of Windows will get owned if Flash up to 16.0.0.287 (included) is installed and enabled," Kafeine said. Google Chrome, where Flash Player runs under the browser's security sandbox, is not targeted.

"We are investigating reports that a separate exploit for Flash Player 16.0.0.287 and earlier also exists in the wild," Adobe said.

Interestingly, the CVE-2015-0310 vulnerability that was patched Thursday was also used in attacks with the Angler Exploit Kit, but last week, according to Kafeine.

Attack tools like Angler exploit vulnerabilities in browser plug-ins to install malware on computers, but usually they target known vulnerabilities, for which patches have already been released. That's because the cybercriminals using these tools are satisfied with only targeting the many users who are not quick to update the software on their computers.

Zero-day exploits -- exploits for which the vendor doesn't have a patch -- do have a higher success rate, but they're also much more expensive to buy on the black market, especially those for widely used software like Flash Player. The use of two such exploits in a mass attack tool like Angler within a week is quite unusual, because it significantly increases the chance of those valuable exploits being discovered and burned.

Firefox users can enable the browser's click-to-play feature in order to avoid Flash content from executing automatically. However, security researchers advise that it's better to disable the Flash Player plug-in entirely from the browser until a patched version is released.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags patchessecurityAdobe Systemspatch managementExploits / vulnerabilitiesmalware

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments