ID: IRCNE2015012411
Date: 2015-01-26
According to “ComputerWorld”, Emergency updates for Flash Player released Thursday fix a vulnerability that is actively exploited by attackers, but leave a separate one unpatched.
Adobe Systems released Flash Player 16.0.0.287 for Windows and Mac, Flash Player 11.2.202.438 for Linux and Flash Player Extended Support Release 13.0.0.262. These updates address a vulnerability identified in the Common Vulnerabilities and Exposures database as CVE-2015-0310.
Adobe is aware of an exploit for this vulnerability "in the wild" being used to attack older versions of Flash Player, the company said in a security advisory.
On Wednesday, a French malware researcher who uses the online alias Kafeine reported on his blog that cybercriminals using the Angler Exploit Kit are targeting an unpatched vulnerability in Flash Player. That vulnerability, it seems, is not CVE-2015-0310 and remains unpatched.
Kafeine has since updated his blog post to reflect that the Angler exploit seen yesterday also works against the newly released Flash Player 16.0.0.287 for Windows and Mac. Moreover, the attackers have since corrected an error in their implementation and are now also targeting Firefox users who have Flash Player installed in addition to Internet Explorer users.
"Any version of Internet Explorer or Firefox with any version of Windows will get owned if Flash up to 16.0.0.287 (included) is installed and enabled," Kafeine said. Google Chrome, where Flash Player runs under the browser's security sandbox, is not targeted.
"We are investigating reports that a separate exploit for Flash Player 16.0.0.287 and earlier also exists in the wild," Adobe said.
Interestingly, the CVE-2015-0310 vulnerability that was patched Thursday was also used in attacks with the Angler Exploit Kit, but last week, according to Kafeine.
Firefox users can enable the browser's click-to-play feature in order to avoid Flash content from executing automatically. However, security researchers advise that it's better to disable the Flash Player plug-in entirely from the browser until a patched version is released.
- 3