lolloj - Fotolia
Researchers have found another new zero-day bug in Flash Player. Adobe Systems Inc., which this morning confirmed the critical vulnerability, plans to issue an out-of-band patch this week.
Like a zero-day vulnerability found in Flash last week, the alert bulletin from Adobe noted that this new flaw, labeled CVE-2015-0313, affects all versions of Flash Player, and is being exploited via drive-by-download attacks against Internet Explorer and Firefox running on Windows 8.1 and lower. Google Chrome is unaffected because of how it sandboxes Flash within the browser.
Pi said that the exploit has been observed in a hosted .swf malvertisement. When a user is directed to the target URL, the advertisement automatically loads and infects the user's system.
At the time of Trend Micro's blog post, the malicious ads appeared to be down, but the company reported that there had already been almost 3,300 hits related to the exploit.
Pi suggested disabling the Flash Player until a patch has been released. Adobe has promised a patch sometime this week.
This is the latest in what has been a devastating series of Flash flaws. Adobe's first patch update of the year, released Jan. 13, fixed nine critical flaws in the video technology. Nine days later, the company released an out-of-band patch for a critical vulnerability, followed by another emergency patch a week ago Saturday to fix yet another critical flaw.
Learn about potential alternatives to Adobe Flash