Adobe to release patch next week for 'critical' Flash zero-day under attack

Adobe says it will deliver a fix for a newly discovered flaw that is being used in drive-by download attacks, but the patch won't be ready until at least next Monday.

It may be time to disable Flash Player: a patch to fix a critical flaw in the latest version of the software won't be available for several days.

Adobe this week confirmed that the critical flaw affects the latest version of Flash Player on all platforms. However, while there are credible reports that the browser plugin is under attack, a fix isn't due until at least after the weekend. In an advisory published on Thursday, Adobe said a fix will be released "during the week of January 26".

"A critical vulnerability (CVE-2015-0311) exists in Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said in the advisory.

Read this

​Flash zero-day flaw under attack to spread ad malware, botnet

New attacks on Flash Player may force Adobe to issue another patch just days after fixing nine flaws.

Read More

"We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 and below," it added.

Adobe hasn't yet provided details about the vulnerability that was exploited; however. is likely to provide details once the fix is released.

Security researcher Kafeine reported on Wednesday that an up-and-coming threat known as the Angler exploit kit contained an attack that successfully compromised multiple versions of Windows with the latest version of Flash Player enabled in Internet Explorer 6 through to 11, as well as Flash in Firefox, but not Chrome.

The particular exploit kit analysed was distributing ad fraud malware, but could also be used to install other malicious components also.

Until yesterday, the latest version of Flash for Windows and Mac was 16.0.0.257. However, Adobe also released an unscheduled fix for Flash Player addressing another recently-discovered flaw (CVE-2015-0310), which was also known to be under attack.

This flaw also affected all platforms and brought the latest version for Windows and Mac up to 16.0.0.287, addressing "a vulnerability that could be used to circumvent memory randomization mitigations on the Windows platform."

While there haven't been reports of attacks on Flash Player on Linux machines, it too is vulnerable.

According to Adobe, affected versions of Flash Player include 16.0.0.287 and earlier versions for Windows and Macintosh; 13.0.0.262 and earlier 13.x versions; and 11.2.202.438 and earlier versions for Linux.

Read more on this story

    Newsletters

    You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
    See All
    See All