Emergency updates for Flash Player released Thursday fix a vulnerability that is actively exploited by attackers, but leave a separate one unpatched.
Adobe Systems released Flash Player 220.127.116.117 for Windows and Mac, Flash Player 18.104.22.1688 for Linux and Flash Player Extended Support Release 22.214.171.1242. These updates address a vulnerability identified in the Common Vulnerabilities and Exposures database as CVE-2015-0310.
Adobe is aware of an exploit for this vulnerability “in the wild” being used to attack older versions of Flash Player, the company said in a security advisory.
On Wednesday, a French malware researcher who uses the online alias Kafeine reported on his blog that cybercriminals using the Angler Exploit Kit are targeting an unpatched vulnerability in Flash Player. That vulnerability, it seems, is not CVE-2015-0310 and remains unpatched.
Kafeine has since updated his blog post to reflect that the Angler exploit seen yesterday also works against the newly released Flash Player 126.96.36.1997 for Windows and Mac. Moreover, the attackers have since corrected an error in their implementation and are now also targeting Firefox users who have Flash Player installed in addition to Internet Explorer users.
“Any version of Internet Explorer or Firefox with any version of Windows will get owned if Flash up to 188.8.131.527 (included) is installed and enabled,” Kafeine said. Google Chrome, where Flash Player runs under the browser’s security sandbox, is not targeted.
“We are investigating reports that a separate exploit for Flash Player 184.108.40.2067 and earlier also exists in the wild,” Adobe said.
Interestingly, the CVE-2015-0310 vulnerability that was patched Thursday was also used in attacks with the Angler Exploit Kit, but last week, according to Kafeine.
Attack tools like Angler exploit vulnerabilities in browser plug-ins to install malware on computers, but usually they target known vulnerabilities, for which patches have already been released. That’s because the cybercriminals using these tools are satisfied with only targeting the many users who are not quick to update the software on their computers.
Zero-day exploits—exploits for which the vendor doesn’t have a patch—do have a higher success rate, but they’re also much more expensive to buy on the black market, especially those for widely used software like Flash Player. The use of two such exploits in a mass attack tool like Angler within a week is quite unusual, because it significantly increases the chance of those valuable exploits being discovered and burned.
Firefox users can enable the browser’s click-to-play feature in order to avoid Flash content from executing automatically. However, security researchers advise that it’s better to disable the Flash Player plug-in entirely from the browser until a patched version is released.