Adobe Fixes Flash Zero Day

Friday, February 6, 2015 @ 04:02 PM gHale

Adobe started to push a new release of Flash Player that fixes the Zero Day vulnerability currently undergoing exploitation.

Identified as CVE-2015-0313, attackers are using the vulnerable software in the Hanjuan exploit kit in malvertising campaigns on popular websites such as DailyMotion.

RELATED STORIES
IE Hole Allows Attackers to Phish
Adobe Flash Zero Day in Exploit Kit
Zero Day Abused in Sony Hack: Report
Sony: Risk Management in Real Time

The vulnerability ends up exploited by bad guys against users relying on Internet Explorer and Mozilla Firefox for web navigation, regardless of the underlying Windows operating system version, said Peter Pi from Trend Micro, who discovered the issue.

Security researchers at Trustwave have analyzed the Zero Day vulnerability and found it is a use-after-free “caused by a bug in how Flash handles the FlashCC (previously Flash Alchemy) ‘fast memory access’ feature (domainMemory), when the last is used by flash Workers (Flash threads),” they said in a blog post.

The flaw affects Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh, as well as build 13.0.0.264 and earlier 13.x. versions of the application.

On Wednesday, Adobe updated the initial security bulletin for CVE-2015-0313, saying the new revision (16.0.0.305) would go out automatically on desktop runtime edition where the auto-update mechanism is on.

The company said the manual download is also available so all users can install the latest revision and mitigate the risk.

The plug-ins for Internet Explorer 10 and 11, and Google Chrome will deliver automatically through the appropriate mechanisms of the web browsers.



Leave a Reply

You must be logged in to post a comment.