A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.
Affected software versions
- Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh
- Adobe Flash Player 13.0.0.264 and earlier 13.x versions
The CVE-2015-0313 vulnerability was identified by Elia Florio and Dave Weston of Microsoft and Peter Pi of Trend Micro. Over the weekend, the researchers at Trend Micro have discovered a new, unpatched vulnerability affecting Adobe Flash. This new vulnerability puts all users of the current version of Adobe Flash at risk.
The attack dates back to January 14, 2015, and took a turn for the worse starting on January 27, 2015. Adobe has been notified about the issue. Adobe expects to release an update for Flash Player during the week of February 2. This is a situation nearly identical to the situation we wrote about last weekend in “New “Zero-day” in Adobe Flash: What You Need to Know”. Just like that situation, the attacks are being carried out through compromised online advertisements (a technique sometimes called “malvertising”).
Trend Micro reported that “Based on data from the Trend Micro™ Smart Protection Network™, we’ve seen 3,294 hits of a known, compromised site. These latest attacks appear so far to be primarily affecting users in the United States.”
