Adobe patches 2nd Flash Player Zero-day Vulnerability
Ready to patch your Adobe Flash software now. Adobe has patched one after one two zero-day vulnerabilities in its Adobe Flash that are being actively exploited by the cyber criminals.

On Thursday, the company released an emergency update for one of the critical vulnerabilities in Flash Player. However, the flaw was not the one that security researcher Kafeine reported. Adobe focused on another zero-day, identified as CVE-2015-0310, that was also exploited by Angler malicious toolkit.

Today, Adobe released an updated version of its Flash player software that patches a zero-day vulnerability, tracked as CVE-2015-0311, spotted by French security researcher Kafeine at the beginning of the week.

The vulnerability is "being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below," Adobe said in a security advisory. The company defines CVE-2015-0311 as "critical," which means that "the vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware."

In case of a "drive-by-download" attack, an attacker downloads a malicious software to a victim's computer without their knowledge or explicit consent. As a result, the flaw could allow remote attackers to take control of victims' Macs or PCs.

According to the tests carried out by the security researcher, CVE-2015-0311 affected all versions of Flash Player included in any version of Windows operating system, any version of Internet Explorer (IE) and Mozilla Firefox as well. However, the Google Chrome users were safe as the exploit was not triggered on Chrome.

  • Adobe Flash Player and earlier versions for Windows and Macintosh
  • Adobe Flash Player and earlier 13.x versions
  • Adobe Flash Player and earlier versions for Linux
Due to the actively exploitation of the zero-day flaw by malicious actors, the company is urging Adobe Flash Player users to update their software as soon as possible.
Adobe updated its security advisory on Saturday and stated, "Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player please refer to this post."
Despite number of security problems in its software, Adobe has improved the security of its products in recent year, and we really appreciate for its quick response and management to roll a patch before the company scheduled to deliver it.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.