Categories: Security

Adobe issued the update to fix CVE-2015-0311 zero day

Adobe released a security update that fixes also the zero-day vulnerability CVE-2015-0311 discovered by Kafeine in the last release of Angler exploit kit.

The French security expert Kafeine has recently discovered an unpatched vulnerability (0day) in Flash Player is being exploited by Angler Exploit Kit.

The new variant of the Angler exploit kit that exploit three different vulnerabilities in Flash Player, including the zero-day flaw (coded CVE-2015-0311) for the latest version of Flash (version 16.0.0.257) in several versions of Internet Explorer running on Windows 7 and Windows 8.

Adobe recognized this flaw as a critical vulnerability and it immediately started the investigation on the new Angler exploit kit to develop a security update to secure its customers.

The new Angler exploit kit includes also the code to exploit two known vulnerabilities, but security industry way scared by the presence of a zero-day in Flash that was being used in the wild to install a the Bedep malware.

“A critical vulnerability (CVE-2015-0311) exists in Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.” warned Adobe in an Adobe Security Bulletin.

Security experts noticed that attackers that are exploiting the vulnerability in the wild via drive-by-download attacks are targeting systems running Internet Explorer and Firefox on Windows 8.1 and below.

On January 24, Adobe has issued a security update that fixex the vulnerability, as explained by the company users who have enabled auto-update for the Flash Player desktop runtime will be receiving the update that fix also the CVE-2015-0311.

Adobe also announced that the manual download for the update will be available during the week of January 26.Adobe is working with distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11.

“This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player please refer to this post. ” states the security advisory.

If you have doubts about the Adobe Flash Player version installed on your machine, verify it by browsing the About Flash Player page.

Pierluigi Paganini

(Security Affairs – Adobe Flash Player, zero day CVE-2015-0311)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.