Aerosol Posted February 3, 2015 Report Posted February 3, 2015 ADOBE FLASH IS VULNERABLE again, Adobe has warned. The company released a new security bulletin acknowledging a zero-day flaw in Flash Player which was exploited throughout January.Classified with a 'critical' severity rating, the CVE-2015-0313 flaw affects Flash Player 16.0.0.296 and earlier versions on Windows and OS X machines.A successful exploitation "could cause a crash and potentially allow an attacker to take control of the affected system", Adobe warned.The company thanked security researchers from Microsoft and Trend Micro for reporting the flaw.The vulnerability is being exploited via drive-by download attacks against users of Internet Explorer and Firefox on Windows 8.1, Adobe said.Trend Micro said that the flaw has been exploited by cyber criminals with 'malvertising' campaigns that redirect visitors from a legitimate site to a malicious domain where the exploit is hosted.Using the ad-serving network allows the criminals to maximise the attack surface while spreading the infection automatically on vulnerable systems, the security firm explained.Most of those who accessed the malicious server in January were located in the US, Trend Micro said. The popular video sharing site Dailymotion was one site affected by the vulnerability.January was a busy period for Flash Player, with two critical flaws already discovered and patched by Adobe near the end of the month. The company said that a fixed version of Flash Player will be released this week.Andy Manoske of security company AlienVault said that Flash "is extremely prolific with something like ~20% penetration of all active websites on the web", and that there is "an incredible amount of scrutiny on Flash" from researchers and criminals.The software's complicated architecture isn't helpful in avoiding the discovery of new vulnerabilities, the researcher warned.Source Quote
