Flash Player Hit by Third Zero-Day Vulnerability in a Month

This year is off to a rough start for Adobe, which issued yet another security advisory on Monday regarding a new zero-day vulnerability identified in its Adobe Flash Player. Described as a "critical" vulnerability, it's the third Flash zero-day to emerge in recent weeks.

Adobe credits researchers at both Microsoft and Trend Micro for discovering and reporting this latest vulnerability. The new exploit -- identified as CVE-2015-0313 (vulnerability identifier APSA15-02) -- is executed through malvertisements, according to Trend Micro.

"Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said in its security advisory, adding that the vulnerability affects both Internet Explorer and Firefox users on Windows 8.1 and earlier versions. It added that it expects to release an update to resolve the zero-day sometime this week.

Infection Happens 'Automatically'

Trend Micro has been following this latest attack since January 14, tracing it to advertisements appearing on the video-sharing site Dailymotion, Trend Micro Threats Analyst Peter Pi wrote in a blog post. Visitors arriving at the site were redirected to a series of sites before eventually being taken to a malicious URL where the exploit was hosted, he said.

"It is important to note that infection happens automatically, since advertisements are designed to load once a user visits a site," he said. "It is likely that this was not limited to the Dailymotion Web site alone, since the infection was triggered from the advertising platform and not the Web site content itself." Most of the users who appear to have been affected so far are from the U.S., Pi added.

"So far we've seen around 3,294 hits related to the exploit, and with an attack already seen in the wild, it's likely there are other attacks leveraging this zero-day, posing a great risk of...

Comments are closed.