Flash Player Hit by Third Zero-Day Vulnerability in a Month
This year is off to a rough start for Adobe, which issued yet another security advisory on Monday regarding a new zero-day vulnerability identified in its Adobe Flash Player. Described as a "critical" vulnerability, it's the third Flash zero-day to emerge in recent weeks.
Adobe credits researchers at both Microsoft and Trend Micro for discovering and reporting this latest vulnerability. The new exploit -- identified as CVE-2015-0313 (vulnerability identifier APSA15-02) -- is executed through malvertisements, according to Trend Micro.
"Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said in its security advisory, adding that the vulnerability affects both Internet Explorer and Firefox users on Windows 8.1 and earlier versions. It added that it expects to release an update to resolve the zero-day sometime this week.
Infection Happens 'Automatically'
Trend Micro has been following this latest attack since January 14, tracing it to advertisements appearing on the video-sharing site Dailymotion, Trend Micro Threats Analyst Peter Pi wrote in a blog post. Visitors arriving at the site were redirected to a series of sites before eventually being taken to a malicious URL where the exploit was hosted, he said.
"It is important to note that infection happens automatically, since advertisements are designed to load once a user visits a site," he said. "It is likely that this was not limited to the Dailymotion Web site alone, since the infection was triggered from the advertising platform and not the Web site content itself." Most of the users who appear to have been affected so far are from the U.S., Pi added.
"So far we've seen around 3,294 hits related to the exploit, and with an attack already seen in the wild, it's likely there are other attacks leveraging this zero-day, posing a great risk of system compromise to unprotected systems," Pi said. "Since the exploit affects the latest version of Flash, 18.104.22.1686, users may consider disabling Flash Player until a fixed version is released."
Execution through Angler Exploit Kit
The latest Flash zero-day appears to have "executed through the use of the Angler Exploit Kit, due to similarities in obfuscation techniques and infections chains," according to Pi. Exploit kits are packages of software created to launch malware in the wild.
Two other zero-day Flash vulnerabilities were revealed last month, although Adobe has now provided security updates for both of those.
In addition to the issues of the multiple zero-days, Adobe's Flash last week was hit with more bad news. Google said it has decided not to use Flash as the default video player on its YouTube property any longer. Instead, YouTube is now defaulting to the HTML5 video player for viewers using using Chrome, Internet Explorer 11, Safari 8 and beta versions of Firefox.
Image credit: Adobe/Artist's concept.