Adobe Flash that are being actively exploited by the cyber criminals.
PATCH FOR FIRST ZERO-DAY
On Thursday, the company released an emergency update for one of the critical vulnerabilities in Flash Player. However, the flaw was not the one that security researcher Kafeine reported. Adobe focused on another zero-day, identified as CVE-2015-0310, that was also exploited by Angler malicious toolkit.
PATCH FOR SECOND ZERO-DAY
Today, Adobe released an updated version of its Flash player software that patches a zero-day vulnerability, tracked as CVE-2015-0311, spotted by French security researcher Kafeine at the beginning of the week.
The vulnerability is "being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below," Adobe said in a security advisory. The company defines CVE-2015-0311 as "critical," which means that "the vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware."
In case of a "drive-by-download" attack, an attacker downloads a malicious software to a victim's computer without their knowledge or explicit consent. As a result, the flaw could allow remote attackers to take control of victims’ Macs or PCs.
According to the tests carried out by the security researcher, CVE-2015-0311 affected all versions of Flash Player included in any version of Windows operating system, any version of Internet Explorer (IE) and Mozilla Firefox as well. However, the Google Chrome users were safe as the exploit was not triggered on Chrome.
AFFECTED SOFTWARE VERSIONS
- Adobe Flash Player 220.127.116.117 and earlier versions for Windows and Macintosh
- Adobe Flash Player 18.104.22.1682 and earlier 13.x versions
- Adobe Flash Player 22.214.171.1248 and earlier versions for Linux
Due to the actively exploitation of the zero-day flaw by malicious actors, the company is urging Adobe Flash Player users to update their software as soon as possible.
Adobe updated its security advisory on Saturday and stated, "Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 126.96.36.1996 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player please refer to this post."
Despite number of security problems in its software, Adobe has improved the security of its products in recent year, and we really appreciate for its quick response and management to roll a patch before the company scheduled to deliver it.