A third Flash Zero-Day is being exploited in the wild

A third critical zero-day vulnerability affects Adobe Flash Player 16.0.0.296 and earlier versions for Windows, Linux and Mac.

It is the third time in a few weeks that the security of Adobe users is menaced by a zero-day in Flash that affects Windows, Linux and OS X systems.

The company is already working to provide a patch as soon as possible, the company wants to fix the vulnerability that according to the experts is being exploited in drive-by download attacks.

On Monday, Adobe has released a security advisory warning users that threat actors are exploiting a new vulnerability in Flash and announced that they’re planning to release a patch for the zero-day already this week. The vulnerability affects Flash on Windows, OS X and Linux. Also in this case the exploitation of the flaw could allow an attacker to take control of the targeted system.

“A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh.  Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.  We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below,” reports the advisory published by Adobe.

At the end of January, the French security researcher Kafeine discovered an unpatched vulnerability (0day) in Flash Player was being exploited by Angler Exploit Kit. A few days later, the experts discovered a second zero-day vulnerability in Adobe Flash.

Adobe promptly released the security patches for both zero-day vulnerabilities. Also in this case, the zero-day in Flash reportedly is being used by the infamous Angler kit.

Pierluigi Paganini

(Security Affairs – Flash zero-dat, Angler kit)