Adobe patches latest Flash Player zero-day
Adobe has released Flash Player 184.108.40.2065, a new version that fixes the latest zero-day flaw (CVE-2015-0313) that is currently exploited in mass malvertising campaigns.
An exploit for the flaw has been recently added to the Hanjuan exploit kit, and malicious ads shown on a number of high-profile sites redirect users to sites hosting it.
While the existence of the flaw was made public only this week, cyber crooks exploited it as far back as December 9, 2014, Malwarebytes experts say.
According to Trustwave researchers, the CVE-2015-0313 flaw is “a use-after-free vulnerability caused by a bug in how Flash handles the FlashCC (previously Flash Alchemy) ‘fast memory access” feature (domainMemory), when the last is used by flash Workers (Flash threads).”
The new version of the software will be delivered automatically to users who have chosen the auto-update option. You can also download it directly from Adobe.
The company is working with their distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11.
As many times before, users are urged to update to the latest version as soon as possible. For those who are tired of Flash Player’s constant zero-day-bug/patch cycle this might be a perfect time to reevaluate whether they actually need the software.
If the answer is “mostly no”, it would be a good idea to use one browser with the Adobe plugin disabled for regular Internet browsing, and another one with the active plugin to check out just your must-visit sites that can’t function well without it.