The French security expert Kafeine has recently discovered an unpatched vulnerability (0day) in Flash Player is being exploited by Angler Exploit Kit.
The new variant of the Angler exploit kit that exploit three different vulnerabilities in Flash Player, including the zero-day flaw (coded CVE-2015-0311) for the latest version of Flash (version 220.127.116.117) in several versions of Internet Explorer running on Windows 7 and Windows 8.
Adobe recognized this flaw as a critical vulnerability and it immediately started the investigation on the new Angler exploit kit to develop a security update to secure its customers.
The new Angler exploit kit includes also the code to exploit two known vulnerabilities, but security industry way scared by the presence of a zero-day in Flash that was being used in the wild to install a the Bedep malware.
“A critical vulnerability (CVE-2015-0311) exists in Adobe Flash Player 18.104.22.1687 and earlier versions for Windows and Macintosh. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.” warned Adobe in an Adobe Security Bulletin.
Security experts noticed that attackers that are exploiting the vulnerability in the wild via drive-by-download attacks are targeting systems running Internet Explorer and Firefox on Windows 8.1 and below.
On January 24, Adobe has issued a security update that fixex the vulnerability, as explained by the company users who have enabled auto-update for the Flash Player desktop runtime will be receiving the update that fix also the CVE-2015-0311.
Adobe also announced that the manual download for the update will be available during the week of January 26.Adobe is working with distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11.
“This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player please refer to this post. ” states the security advisory.
If you have doubts about the Adobe Flash Player version installed on your machine, verify it by browsing the About Flash Player page.
(Security Affairs – Adobe Flash Player, zero day CVE-2015-0311)