A new major zero-day vulnerability has been discovered in Adobe Flash; the third this year.
Adobe officials released an advisory warning users that attackers are exploiting the vulnerability, and said that they plan to release a patch for the flaw sometime this week. The vulnerability affects Flash on Windows, OS X and Linux.
Adobe said: “A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player 22.214.171.1246 and earlier versions for Windows and Macintosh. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. We are aware of report that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.”
Research by Trend Micro said that those targeted included visitors to the video streaming website dailymotion.com who were redirected to a series of sites that eventually led to a URL where the exploit itself was hosted.
“It is important to note that infection happens automatically, since advertisements are designed to load once a user visits a site,” Trend Micro threats analyst Peter Pi said. “It is likely that this was not limited to the Dailymotion website alone; since the infection was triggered from the advertising platform and not the website content itself.”
Adam Winn, product manager at OPSWAT said that the most vulnerable users are those who do not block ads, and have Flash set to autoplay. “A zero-day vulnerability like this can strike anyway, no matter how safe their browsing habits or how well-patched their software is,” he said.
Stephen Coty, chief security evangelist at Alert Logic, said that the exploit is being used by the Angler kit, a malicious tool kit that has been linked to two other Adobe vulnerabilities.
He said: “This infection is being triggered primarily from advertising links and not the content of the actual website. According to Trend Micro, most of the systems compromised in this attack are from the United States and they observed 3,294 hits related to the exploit.
“At the moment, the malicious advertisements connected to the infection site observed by Trend Micro appear to be down, which means that they may easily be using other sites to compromise users. Until Adobe is able to release a patch the best thing that can be done to protect your workstation is to disable browsers plugins.”
Andy Manoske, senior product manager at AlienVault, said: “Flash is architecturally complicated. It’s not really a single platform so much as a zoo of different operating system clients that agree o
n a series of protocols and features. Complexity like this has a tendency to create issues due to things like implementation errors and race conditions, thereby creating the opportunity for exploitable vulnerabilities to be accidentally created and missed in quality assurance.
“The proliferation of exploit kits like Angler only exacerbates this issue, and I think similar discoveries such as Trend’s findings in DailyMotion will force ad networks to ask their industry serious questions about content review processes given how common these attacks are becoming.”