SBN: Running Adobe Flash? You Need to Read This Today

Posted on by Security Bloggers Network

Adobe has released a critical security patch for an Adobe Flash vulnerability that is being exploited by online criminals.

The vulnerability, known as CVE-2015-0310, can be used by hackers to “circumvent memory randomization mitigations” on versions of Windows.

Obviously it would be sensible to ensure that your version of Flash is updated as soon as possible.

If you’re using Google Chrome or Internet Explorer for Windows 8.x, then Flash should already have been updated to the latest version. If not, then it would be wise to follow the advice in Adobe’s security advisory to get the latest update as soon as possible.

Unfortunately, however, the story doesn’t end there. As Adobe has acknowledged that there is another zero-day vulnerability in Flash.

This other, as-yet-unpatched bug, was first reported by security researcher Kafeine via their Malware don’t need Coffee blog, when they noticed it being distributed through the malicious Angler Exploit Kit to recruit computers into botnets or to commit click fraud.

The critical zero-day vulnerability, known as CVE-2015-0311, exists in Adobe Flash Player version and earlier for Windows, Macintosh and Linux, and could allow a remote attacker to plant malware and take control of vulnerable computers.

Adobe says it is aware of the vulnerability being actively exploited in the wild via drive-by-download attacks (that’s where you visit a boobytrapped website on a vulnerable computer) against systems running Internet Explorer and Firefox on Windows 8 and below.

Adobe says the following versions of Adobe Flash are vulnerable to this exploit:

  • Adobe Flash Player and earlier versions for Windows and Macintosh
  • Adobe Flash Player and earlier 13.x versions
  • Adobe Flash Player and earlier versions for Linux

Adobe says it hopes to have a patch out next week, but for many users the safest advice may be to disable Flash if possible while you’re waiting for a fix to be issued.

If you are not sure which version of Adobe Flash you are running on your computer, visit this Adobe webpage which will tell you.

The most recent version of Flash is always available from the Flash download page, but be sure not to be tricked into installing other third-party “optional offer” products at the same time (an irritating habit of Flash’s install program).

Graham Cluley is an independent security analyst and a member of the Security Bloggers Network. This post originally appeared on

Security Bloggers Network

, Security Blogger's Network

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community