Adobe has patched two zero-day vulnerabilities (see Definition) over the past few days in its Adobe Flash. Last Thursday, Adobe released an emergency update for one of the critical vulnerabilities in Flash Player.
Adobe has also been hit by second zero-day vulnerability, tracked as CVE-2015-0311. This vulnerability is “being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below,” Adobe said in a security advisory. The company defines CVE-2015-0311 as “critical,” which means that “the vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware.“
In a “drive-by download” attack, malicious software is downloaded to a victim’s computer without their knowledge or consent. In this scenario, an attacker could take control of the victim’s computer remotely.
CVE-2015-0311 affected all versions of Flash Player included in any version of Windows operating system, any version of Internet Explorer (IE) and Mozilla Firefox as well. It was reported that the exploit was not triggered in Google Chrome.
Affected Software Versions
- Adobe Flash Player 126.96.36.1997 and earlier versions for Windows and Macintosh
- Adobe Flash Player 188.8.131.522 and earlier 13x versions
- Adobe Flash Player 184.108.40.2068 and earlier versions for Linux
Due to the criticality of this exploit, Adobe Flash Player users are advised to update their software as soon as possible. Adobe stated that users who have enabled auto-update for the Flash Player desktop runtime will receive version 220.127.116.116 from 24 January. It includes a fix for CVE-2015-0311. Adobe is also expected to have an update available for manual download during week of January 26. They are also working to make the update available in Google Chrome and Internet Explorer 10 and 11.
To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select “About Adobe (or Macromedia) Flash Player” from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.
Adobe Security Bulletin.
Zero-day – an attack or threat that exploits a previously unknown vulnerability in a computer application or operating system on the same day that the vulnerability becomes generally known. It is a vulnerability that developers have had no time to address and patch.