Another Unpatched Adobe Flash Zero-Day vulnerability Exploited in the Wild

Warning for Adobe users! Another zero-day vulnerability has been discovered in Adobe Flash Player that is actively being exploited by cyber crooks in drive-by download attacks, security researchers warned today.

This is for the third time in last few weeks when Adobe is dealing with a zero day vulnerability in Flash Player. The Adobe Flash Player Vulnerability identified as CVE-2015-0313, exists in the latest version of Flash Player, i.e. version 16.0.0.296 and earlier.

In late January, Adobe released an updated version of its Flash player software that patches zero-day vulnerability, tracked as CVE-2015-0311, spotted by French security researcher Kafeine. This Adobe Flash Player Vulnerability was also being actively exploited via Malvertisement and drive-by-download attacks.

In case of a "drive-by-download" attack, an attacker downloads a malicious software to a victim's computer without their knowledge or explicit consent. As a result, the flaw could allow remote attackers to take control of victims’ Macs or PCs.

On January 22, the company released an emergency update for second zero-day flaw, identified as CVE-2015-0310, that was circulating and exploited by Angler malicious toolkit.

In a security advisory released Monday, Adobe officials said that they are working on a patch and planning to release it sometime this week. The Adobe Flash Player zero-day vulnerability targets computers running all versions of Internet Explorer and Mozilla Firefox, on Windows 8.1 and earlier. In addition to Windows, the flaw affects Flash on OS X and Linux.

This newest zero-day vulnerability in Flash reportedly is being used by the Angler kit, as well. If successfully exploited, the vulnerability could cause a crash and potentially allow criminal hackers to take control of the affected system.

Cybercriminals are currently using this zero-day flaw in a malvertising campaign on a popular video sharing site Dailymotion, with other websites thought to be affected as the infections were launched via advertising platform and not the website content itself.

Visitors to any of the affected sites would have been redirected to a series of websites and finally landed on a page controlled by attackers, hosting an exploit kit. This exploit kit would attempt to compromise the target system by exploiting the Adobe Flash zero-day flaw.

Security firm Trend Micro, who reported the zero-day to Adobe, had been tracking this Flash zero-day vulnerability since January 14 and had been working with Adobe to fix the issue. 

Trend Micro said it had "seen around 3,294 hits related to the exploit". The firm is recommending users "consider disabling Flash Player until a fixed version is released".

"We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below," Adobe said in its own advisory.

Adobe didn’t specify the day on which the patch would be released, but said it would release a fix for this "critical vulnerability" this week. Users who are concerned about this security issue can temporarily disable Adobe Flash in the browsers.