Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / World Wide Web / Flash Player Hit by 3rd Zero-Day Flaw
Flash Player Hit by Third Zero-Day Vulnerability in a Month
Flash Player Hit by Third Zero-Day Vulnerability in a Month
By Shirley Siluk / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
This year is off to a rough start for Adobe, which issued yet another security advisory on Monday regarding a new zero-day vulnerability identified in its Adobe Flash Player. Described as a "critical" vulnerability, it's the third Flash zero-day to emerge in recent weeks.

Adobe credits researchers at both Microsoft and Trend Micro for discovering and reporting this latest vulnerability. The new exploit -- identified as CVE-2015-0313 (vulnerability identifier APSA15-02) -- is executed through malvertisements, according to Trend Micro.

"Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said in its security advisory, adding that the vulnerability affects both Internet Explorer and Firefox users on Windows 8.1 and earlier versions. It added that it expects to release an update to resolve the zero-day sometime this week.

Infection Happens 'Automatically'

Trend Micro has been following this latest attack since January 14, tracing it to advertisements appearing on the video-sharing site Dailymotion, Trend Micro Threats Analyst Peter Pi wrote in a blog post. Visitors arriving at the site were redirected to a series of sites before eventually being taken to a malicious URL where the exploit was hosted, he said.

"It is important to note that infection happens automatically, since advertisements are designed to load once a user visits a site," he said. "It is likely that this was not limited to the Dailymotion Web site alone, since the infection was triggered from the advertising platform and not the Web site content itself." Most of the users who appear to have been affected so far are from the U.S., Pi added.

"So far we've seen around 3,294 hits related to the exploit, and with an attack already seen in the wild, it's likely there are other attacks leveraging this zero-day, posing a great risk of system compromise to unprotected systems," Pi said. "Since the exploit affects the latest version of Flash,, users may consider disabling Flash Player until a fixed version is released."

Execution through Angler Exploit Kit

The latest Flash zero-day appears to have "executed through the use of the Angler Exploit Kit, due to similarities in obfuscation techniques and infections chains," according to Pi. Exploit kits are packages of software created to launch malware in the wild.

Two other zero-day Flash vulnerabilities were revealed last month, although Adobe has now provided security updates for both of those.

In addition to the issues of the multiple zero-days, Adobe's Flash last week was hit with more bad news. Google said it has decided not to use Flash as the default video player on its YouTube property any longer. Instead, YouTube is now defaulting to the HTML5 video player for viewers using using Chrome, Internet Explorer 11, Safari 8 and beta versions of Firefox.

Image credit: Adobe/Artist's concept.

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter

Over the past decade, hospitals have been busy upgrading their systems from paper to electronic health records. Unfortunately, spending so much on EHR may have left insufficient funds for security.
The British government officially blamed Russia for waging the so-called NotPetya cyberattack that infected computers across Ukraine before spreading to systems in the U.S. and beyond.
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.