Running Adobe Flash? You need to read this today

AdobeAdobe has released a critical security patch for an Adobe Flash vulnerability that is being exploited by online criminals.

The vulnerability, known as CVE-2015-0310, can be used by hackers to "circumvent memory randomization mitigations" on versions of Windows.

Obviously it would be sensible to ensure that your version of Flash is updated as soon as possible.

If you're using Google Chrome or Internet Explorer for Windows 8.x, then Flash should already have been updated to the latest version. If not, then it would be wise to follow the advice in Adobe's security advisory to get the latest update as soon as possible.

Unfortunately, however, the story doesn't end there. As Adobe has acknowledged that there is another zero-day vulnerability in Flash.

This other, as-yet-unpatched bug, was first reported by security researcher Kafeine via their Malware don't need Coffee blog, when they noticed it being distributed through the malicious Angler Exploit Kit to recruit computers into botnets or to commit click fraud.

The critical zero-day vulnerability, known as CVE-2015-0311, exists in Adobe Flash Player version 16.0.0.287 and earlier for Windows, Macintosh and Linux, and could allow a remote attacker to plant malware and take control of vulnerable computers.

Adobe security advisory

Adobe says it is aware of the vulnerability being actively exploited in the wild via drive-by-download attacks (that's where you visit a boobytrapped website on a vulnerable computer) against systems running Internet Explorer and Firefox on Windows 8 and below.

Adobe says the following versions of Adobe Flash are vulnerable to this exploit:

  • Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 13.0.0.262 and earlier 13.x versions
  • Adobe Flash Player 11.2.202.438 and earlier versions for Linux

Adobe says it hopes to have a patch out next week, but for many users the safest advice may be to disable Flash if possible while you're waiting for a fix to be issued.

If you are not sure which version of Adobe Flash you are running on your computer, visit this Adobe webpage which will tell you.

The most recent version of Flash is always available from the Flash download page, but be sure not to be tricked into installing other third-party "optional offer" products at the same time (an irritating habit of Flash's install program).

Update: Good news! Adobe patches second Flash zero-day vulnerability ahead of schedule.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

3 Responses

  1. Chris Thomas

    January 23, 2015 at 1:40 pm #

    MalwareBytes Anti-Exploit should be effective in protecting from the effects of Flash bugs. The free version protects web browsers and web browser plugins (Google Chrome, Firefox, Opera, Internet Explorer and also Java). MalwareBytes techs confirm that the Angler Exploit Kit delivered exploit is effectively mitigated by Anti-Exploit.

    Disclaimer: I use Anti-Exploit. I am not an employee or agent of that excellent firm MalwareBytes.

  2. David Blevins

    January 23, 2015 at 1:48 pm #

    Adobe's Flash page is showing, as of 8:45AM ET 1/23/15, 16.0.0.287 as the "latest" version … guess their left hand and right hand aren't in synch.

  3. Bob

    January 24, 2015 at 4:24 am #

    I have had to re-install MalwareBytes Pro 3 times in last 4 months. My online browser protection was disabled each time. MalwareBytes pro did extend my license as if just activated. Has malwareBytes pro been hacked ????

Leave a Reply