Third zero-day vulnerability this year for Adobe Flash Player

flash-logoZero-days are like buses for Adobe, it seems. You wait for ages, then three come along at once.

Yesterday, Adobe issued a Security Advisory confirming that another critical vulnerability (CVE-2015-0313) exists in its Flash Player – the third this year.

Like this year’s other two Flash flaws, the latest vulnerability is exploited by malvertising attacks, which use malicious advertisements to load exploits. It’s not yet known whether cyber criminals are using the same exploit kit for all three.

According to Trend Micro, which discovered this flaw, “visitors of the popular site dailymotion.com were redirected to a series of sites that eventually led to the URL hxxp://www.retilio.com/skillt.swf, where the exploit itself was hosted. It is important to note that infection happens automatically, since advertisements are designed to load once a user visits a site. It is likely that this was not limited to the Dailymotion website alone, since the infection was triggered from the advertising platform and not the website content itself.”

Affected versions are:

  • Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Mac OS X
  • Adobe Flash Player 13.0.0.264 and earlier 13 x versions

Adobe has already released two Flash Player updates over the past fortnight, in response to CVE-2015-0310 and CVE-2015-0311. New updates are expected from later this week. Until then, ensure that your antivirus is up to date, and enable click-to-play to stop Flash running automatically.

Bear in mind, too, that you should only download legitimate updates from Adobe. The BBC reports that pornography shared via Facebook includes a fake Flash Player update, which installs malware.

DailySentinel-Subscription