Adobe rushes fix for second Flash Player zero-day
Adobe has released a second out of band emergency fix for a zero-day vulnerability in Flash Player leaving users open to attack by hackers.
The patch was released as part of an Adobe threat advisory and addresses a flaw that could be exploited by hackers to crash or hijack systems.
"A critical vulnerability (CVE-2015-0311) exists in Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh," read the advisory.
"Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system."
Adobe called for users to install the patch as soon as possible, warning that it has evidence of hackers actively exploiting the flaw.
"We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below," read the advisory.
Adobe released a separate Flash Player patch earlier in January for a bug also being exploited by hackers.
“Adobe is aware of reports that an exploit for CVE-2015-0310 exists in the wild, which is being used in attacks against older versions of Flash Player,” the firm said in a separate advisory.
“These updates address a vulnerability that could be used to circumvent memory randomisation mitigations on the Windows platform.”
Adobe said that the flaw is rated 'important', which it defines as follows: "A vulnerability which, if exploited, would compromise data security, potentially allowing access to confidential data, or could compromise processing resources in a user's computer."
The flaw was being exploited by a popular kit called Angler, as noted by a security researcher named Kafeine who reported it in a blog post on Thursday.
This problem affects Adobe F
lash Player 16.0.0.257 and earlier versions, Adobe Flash Player 13.0.0.260 and earlier 13.x versions, and Adobe Flash Player 11.2.202.429 and earlier versions for Linux.
Adobe has issued a fix and urged those with the following software versions to update as soon as possible:
• Users of the Adobe Flash Player desktop runtime for Windows and Macintosh should update to Adobe Flash Player 16.0.0.287.
• Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.262.
• Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.438.
• Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to version 16.0.0.287.
• Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.262.
• Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.438.
• Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to version 16.0.0.287.
The warnings come after Oracle issued a whopping 167 security patches for productsincluding Java and Sun systems.
Adobe rushes fix for second Flash Player zero-day
Reviewed by Unknown
on
1/28/2015
Rating:
No comments:
Post Your Comment Here Please