Adobe confirms patch for newest zero-day vulnerability

Adobe says to expect a fix this week

For the third time in as many weeks, Adobe's Flash Player is being used by criminals to launch attacks against the public.

A malicious advertising campaign on Dailymotion.com has led to thousands of infections due to the use of a Flash Player vulnerability that's currently without a patch.

Details about this latest attack come from researchers at Trend Micro who discovered today’s attack dates back to at least Jan. 14, 2015, with increased activity beginning Jan. 27, 2015.

As of Monday morning, there were nearly 3,300 hits to the malicious hosted page; a majority of them form the United States.

This latest zero-day vulnerability, as was the case with the previous two, impact the latest release of Adobe's Flash Player (16.0.0.296) and earlier versions. An advisory from Adobe confirmed the attacks, noting that users on Internet Explorer and Firefox were the primary targets.

"Adobe expects to release an update for Flash Player during the week of February 2," their advisory states.

Late last month, (after the disclosure from security researcher Kafeine) a second Flash Player vulnerability was added to the Angler exploit kit, but only the first flaw was fixed when Adobe released Flash Player version 16.0.0.287 as part of their normal update cycle.

On January 25, version 16.0.0.296 was released, which patched the second zero-day flaw.

In each of the three attacks, the Angler exploit has been the primary delivery vehicle, leveraging the popularity of websites such as Dailymotion.com in order to target as many people as possible.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.