alphaspirit - Fotolia
Adobe Systems Inc. released an out-of-band emergency patch Saturday to secure a Flash zero-day vulnerability that was first uncovered last week, and has already reportedly led to active exploits in the wild.
The vulnerability was publicly disclosed Wednesday by a security researcher who goes by the Twitter handle Kafeine and affected all versions of the Adobe Flash Player through 22.214.171.1247. Late on Thursday, Adobe released an advisory stating that it was investigating what is assumed to be the same exploit, CVE-2015-0311. Just two days later, Adobe updated its advisory with the notice that users who had enabled auto-updates for the Flash Player runtime would receive the patch as part of its version 126.96.36.1996 update, with a manual update promised for the week of Jan. 26th.
Adobe has also noted it is working with distribution partners to make the patch available in Google Chrome and Internet Explorer 10 and 11, although Google Chrome was not included as an at risk browser with the initial report because of how Flash Player is sandboxed within the browser.
According to Adobe, "this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below."
A blog post at Malware don't need coffee by Kafeine confirmed that the Adobe Flash zero-day flaw is being targeted by the Angler exploit kit, and a successful remote exploit could cause a crash, allowing an attacker to potentially take control of an infiltrated system.
Learn why organizations should consider a formal patch management program.