The vulnerability, known as CVE-2015-0310, can be used by hackers to “circumvent memory randomization mitigations” on versions of Windows.
Obviously it would be sensible to ensure that your version of Flash is updated as soon as possible.
If you’re using Google Chrome or Internet Explorer for Windows 8.x, then Flash should already have been updated to the latest version. If not, then it would be wise to follow the advice in Adobe’s security advisory to get the latest update as soon as possible.
Unfortunately, however, the story doesn’t end there. As Adobe has acknowledged that there is another zero-day vulnerability in Flash.
This other, as-yet-unpatched bug, was first reported by security researcher Kafeine via their Malware don’t need Coffee blog, when they noticed it being distributed through the malicious Angler Exploit Kit to recruit computers into botnets or to commit click fraud.
The critical zero-day vulnerability, known as CVE-2015-0311, exists in Adobe Flash Player version 22.214.171.1247 and earlier for Windows, Macintosh and Linux, and could allow a remote attacker to plant malware and take control of vulnerable computers.
Adobe says it is aware of the vulnerability being actively exploited in the wild via drive-by-download attacks (that’s where you visit a boobytrapped website on a vulnerable computer) against systems running Internet Explorer and Firefox on Windows 8 and below.
Adobe says the following versions of Adobe Flash are vulnerable to this exploit:
- Adobe Flash Player 126.96.36.1997 and earlier versions for Windows and Macintosh
- Adobe Flash Player 188.8.131.522 and earlier 13.x versions
- Adobe Flash Player 184.108.40.2068 and earlier versions for Linux
Adobe says it hopes to have a patch out next week, but for many users the safest advice may be to disable Flash if possible while you’re waiting for a fix to be issued.
If you are not sure which version of Adobe Flash you are running on your computer, visit this Adobe webpage which will tell you.
The most recent version of Flash is always available from the Flash download page, but be sure not to be tricked into installing other third-party “optional offer” products at the same time (an irritating habit of Flash’s install program).
Update: Good news! Adobe patches second Flash zero-day vulnerability ahead of schedule.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.