Yet Another Adobe Flash Zero-Day Vulnerability
Adobe Flash Player is notorious for causing security issues. It’s just one of the many reasons why sites like YouTube have switched to HTML5. Trend Micro’s researchers recently discovered a zero-day exploit in Flash used for malvertisement attacks, affecting Windows, Mac, and Linux users. According to a security bulletin from Adobe, the vulnerability, known as CVE-2015-0313, affects Flash Player 126.96.36.1996 (the latest version) and earlier versions. A patch for CVE-2015-0313 is expected to begin rolling out on February 4th. But until the update is ready, users are recommended to disable Adobe Flash Player.
The Damage is Already Done
While Adobe will be releasing a patch soon, the exploit has already been used in the wild. For instance, visitors of popular websites like Dailymotion.com were redirected to a series of URLs until finally being taken to the malicious URL: hxxp://www.retilio.com/skillt.swf.
This type of attack is known as malvertising. Most ad vendors rely on Flash-based ad banners. Flash advertisements are a great attack vector for zero-day exploits like CVE-2015-0313 since ad banners are loaded automatically once a user visits a website.
According to research from SpiderLabs, the exploit is delivered using an Exploit Kit known as HanJuan, which may have ties to the better-known Angler Exploit Kit. In fact, two other Flash zero-day exploits were discovered in the last few weeks that were used by Angler. Angler has already compromised 1800 domains, and the number will likely continue to grow as new exploits are found and users fail to keep their software up to date.
Regarding the status of a patch for this latest zero-day, Adobe released the following statement:
Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 188.8.131.525 beginning on February 4. This version includes a fix for CVE-2015-0313. Adobe expects to have an update available for manual download on February 5, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11.
But given the ever-increasing number of critical vulnerabilities discovered in Flash, it raises the question of whether or not using Flash is still worth it, especially when alternatives like HTML5 have soared in popularity.
Images from Shutterstock.