Adobe has released an emergency fix for a zero-day vulnerability in Flash Player, which attackers could use to sidestep memory randomization mitigations on the Windows operating system.
On Thursday, the company made the Flash updates available for Windows, Macintosh and Linux. In a security bulletin, Adobe identified the zero-day vulnerability as CVE-2015-0310, and said that it was “aware of reports than an exploit for [the bug] exists in the wild, which is being used in attacks against older versions of Flash Player.”
Of note, the company is also investigating reports that a separate exploit for Flash Player 16.0.0.287 and earlier also exists in the wild, the bulletin said.
The patch that remediates CVE-2015-0310 resolves a memory leak issue, Adobe said, acknowledging Yang Dingning, Timo Hirvonen of F-Secure, and a security researcher known as “Kafeine,” who warned users last fall that a recently patched integer overflow vulnerability in Flash Player (CVE-2014-0569) had been added to the Fiesta Exploit Kit and the Angler Exploit Kit.
Ironically, Kafeine also took to his blog last week to detail the then-unpatched vulnerability CVE-2015-0310, as well as the fact that the exploit was being distributed through the Angler EK to spread malware, called "Bedep." Kafeine initially thought that the attacks were leveraged through CVE-2014-9162 and CVE-2014-9163 (which were patched in December by Adobe), but updated his blog post (and tweeted) on Thursday that CVE-2015-0310 was actually being targeted in attacks.
On Thursday, researchers at Trustwave SpiderLabs also posted screenshots of saboteurs' attack methods via Angler.
“The zero-day is delivered by the prevalent Angler exploit kit and potentially attacking a large number of users,” Trustwave said. “Because the attack exploits Adobe Flash, the malicious code will successfully execute in various browsers.”
UPDATE: In a second security bulletin issued later on Thursday, Adobe said that, next week, users can expect a patch for a critical vulnerability, CVE-2015-0311, in Adobe Flash Player 16.0.0.287 and earlier versions for Windows, Macintosh and Linux.
"Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system," the Adobe bulletin said. "We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 and below."
