Adobe fixes just one of two actively exploited zero-day vulnerabilities in Flash Player

Internet Explorer and Firefox users with Flash Player enabled remain at risk

Emergency updates for Flash Player released Thursday fix a vulnerability that is actively exploited by attackers, but leave a separate one unpatched.

Adobe Systems released Flash Player 16.0.0.287 for Windows and Mac, Flash Player 11.2.202.438 for Linux and Flash Player Extended Support Release 13.0.0.262. These updates address a vulnerability identified in the Common Vulnerabilities and Exposures database as CVE-2015-0310.

Adobe is aware of an exploit for this vulnerability "in the wild" being used to attack older versions of Flash Player, the company said in a security advisory.

On Wednesday, a French malware researcher who uses the online alias Kafeine reported on his blog that cybercriminals using the Angler Exploit Kit are targeting an unpatched vulnerability in Flash Player. That vulnerability, it seems, is not CVE-2015-0310 and remains unpatched.

Kafeine has since updated his blog post to reflect that the Angler exploit seen yesterday also works against the newly released Flash Player 16.0.0.287 for Windows and Mac. Moreover, the attackers have since corrected an error in their implementation and are now also targeting Firefox users who have Flash Player installed in addition to Internet Explorer users.

"Any version of Internet Explorer or Firefox with any version of Windows will get owned if Flash up to 16.0.0.287 (included) is installed and enabled," Kafeine said. Google Chrome, where Flash Player runs under the browser's security sandbox, is not targeted.

"We are investigating reports that a separate exploit for Flash Player 16.0.0.287 and earlier also exists in the wild," Adobe said.

Interestingly, the CVE-2015-0310 vulnerability that was patched Thursday was also used in attacks with the Angler Exploit Kit, but last week, according to Kafeine.

Attack tools like Angler exploit vulnerabilities in browser plug-ins to install malware on computers, but usually they target known vulnerabilities, for which patches have already been released. That's because the cybercriminals using these tools are satisfied with only targeting the many users who are not quick to update the software on their computers.

Zero-day exploits -- exploits for which the vendor doesn't have a patch -- do have a higher success rate, but they're also much more expensive to buy on the black market, especially those for widely used software like Flash Player. The use of two such exploits in a mass attack tool like Angler within a week is quite unusual, because it significantly increases the chance of those valuable exploits being discovered and burned.

Firefox users can enable the browser's click-to-play feature in order to avoid Flash content from executing automatically. However, security researchers advise that it's better to disable the Flash Player plug-in entirely from the browser until a patched version is released.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags patch managementmalwarepatchesAdobe SystemsExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Lucian Constantin

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

Family Friendly

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Stocking Stuffer

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?