Critical Flash Player hole plugged, another still unpatched and exploited
Adobe has released an out-of-band update for Flash Player, which fixes a security flaw (CVE-2015-0310) that could be used to circumvent memory randomization mitigations on the Windows platform.
“Adobe is aware of reports that an exploit for CVE-2015-0310 exists in the wild, which is being used in attacks against older versions of Flash Player,” they noted, adding that they are investigating a report about another Flash Player vulnerability being exploited through the Angler exploit kit.
This latter critical zero-day flaw (CVE-2015-0311) has been first spotted and documented by security researcher Kafeine.
“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 and below,” Adobe explained.
The flaw affects Flash Player 188.8.131.527 and earlier versions for Windows, Macintosh and Linux, and the company has announced that a patch will be released during the week of January 26.
So, even if you update your Flash Player, you’re still in danger. Disabling the software until this patch comes out is a good idea, as the vulnerability is widely attacked through malvertising campaigns.
“Right now, there’s no indication that attackers are targeting Adobe Flash on other platforms like the Mac or Android. If you use these platforms, though, you should make sure you’re running security software and apply any patches from Adobe as soon as possible,” commented Christopher Budd, global threat communications manager at Trend Micro.