Adobe Systems started pushing a critical Flash Player patch to users who have auto-update enabled over the weekend in order to fix a vulnerability that has been exploited by attackers since last week.
An exploit for the vulnerability has been integrated into the Angler Exploit Kit, a tool used by cybercriminals to launch mass drive-by-download attacks, primarily through malicious ads displayed on legitimate websites.
The vulnerability, tracked as CVE-2015-0311, affects users with Flash Player enabled in Mozilla Firefox and in all versions of Internet Explorer running on Windows 8.1 and earlier. The Flash Player plug-in bundled with Google Chrome also has the vulnerability, but the browser’s security sandbox mechanism prevents its exploitation.
“Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 126.96.36.1996 beginning on January 24,” Adobe said in a security advisory Saturday.
The company also said that it will make the new Flash Player version available for manual download this week. Even though the release hasn’t officially been announced yet, the new version is already available on its distribution site.
The update comes after Adobe released another Flash Player version last week to address a different zero-day, or exploited but unpatched, vulnerability. That one was tracked as CVE-2015-0310.
Drive-by-download attacks silently install malware on users’ computers when they visit compromised websites or view malicious ads in their browsers. Attackers manage to push malicious ads onto ad networks through a variety of techniques that include impersonating advertisers. Those ads then make it onto large legitimate websites.
Combining malvertising with zero-day exploits results in very powerful and widespread attacks that are hard to defend against. The SANS Institute’s Internet Storm Center raised the threat level to yellow because of the ongoing Flash Player attacks.
Users can also protect themselves by enabling the click-to-play feature in browsers which prevents plug-in-based content like Flash from running automatically without the user’s consent.