Running Adobe Flash? You need to read this today

Graham Cluley
Graham Cluley
@[email protected]

AdobeAdobe has released a critical security patch for an Adobe Flash vulnerability that is being exploited by online criminals.

The vulnerability, known as CVE-2015-0310, can be used by hackers to “circumvent memory randomization mitigations” on versions of Windows.

Obviously it would be sensible to ensure that your version of Flash is updated as soon as possible.

If you’re using Google Chrome or Internet Explorer for Windows 8.x, then Flash should already have been updated to the latest version. If not, then it would be wise to follow the advice in Adobe’s security advisory to get the latest update as soon as possible.

Sign up to our free newsletter.
Security news, advice, and tips.

Unfortunately, however, the story doesn’t end there. As Adobe has acknowledged that there is another zero-day vulnerability in Flash.

This other, as-yet-unpatched bug, was first reported by security researcher Kafeine via their Malware don’t need Coffee blog, when they noticed it being distributed through the malicious Angler Exploit Kit to recruit computers into botnets or to commit click fraud.

The critical zero-day vulnerability, known as CVE-2015-0311, exists in Adobe Flash Player version and earlier for Windows, Macintosh and Linux, and could allow a remote attacker to plant malware and take control of vulnerable computers.

Adobe security advisory

Adobe says it is aware of the vulnerability being actively exploited in the wild via drive-by-download attacks (that’s where you visit a boobytrapped website on a vulnerable computer) against systems running Internet Explorer and Firefox on Windows 8 and below.

Adobe says the following versions of Adobe Flash are vulnerable to this exploit:

  • Adobe Flash Player and earlier versions for Windows and Macintosh
  • Adobe Flash Player and earlier 13.x versions
  • Adobe Flash Player and earlier versions for Linux

Adobe says it hopes to have a patch out next week, but for many users the safest advice may be to disable Flash if possible while you’re waiting for a fix to be issued.

If you are not sure which version of Adobe Flash you are running on your computer, visit this Adobe webpage which will tell you.

The most recent version of Flash is always available from the Flash download page, but be sure not to be tricked into installing other third-party “optional offer” products at the same time (an irritating habit of Flash’s install program).

Update: Good news! Adobe patches second Flash zero-day vulnerability ahead of schedule.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

3 comments on “Running Adobe Flash? You need to read this today”

  1. Chris Thomas

    MalwareBytes Anti-Exploit should be effective in protecting from the effects of Flash bugs. The free version protects web browsers and web browser plugins (Google Chrome, Firefox, Opera, Internet Explorer and also Java). MalwareBytes techs confirm that the Angler Exploit Kit delivered exploit is effectively mitigated by Anti-Exploit.

    Disclaimer: I use Anti-Exploit. I am not an employee or agent of that excellent firm MalwareBytes.

  2. David Blevins

    Adobe's Flash page is showing, as of 8:45AM ET 1/23/15, as the "latest" version … guess their left hand and right hand aren't in synch.

  3. Bob

    I have had to re-install MalwareBytes Pro 3 times in last 4 months. My online browser protection was disabled each time. MalwareBytes pro did extend my license as if just activated. Has malwareBytes pro been hacked ????

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.