Adobe patches another 0-day in Flash used to infect Dailymotion visitors

Adobe is rushing out its third unscheduled patch this month to fix a newly discovered flaw affecting all versions of Flash Player that is under attack. According to researchers, it’s targeted thousands of visitors to popular video-sharing site Dailymotion.

It's been a rocky start to 2015 for the security of Adobe Flash, which has now seen five rounds of security updates in the past month, including three to address zero-day flaws that were under attack from hackers.

The next patch will address a flaw that is being exploited through malicious ads served by online ad networks, a technique known as ‘malvertising’. Attackers can do this by impersonating legitimate advertisers.

According to Adobe, if the critical Flash vulnerability (assigned CVE-2015-0313) is exploited, it could cause a system to crash and potentially allow an attacker to control of the system. 

This bug is particularly risky for end users since the hackers are using “drive-by-download” attacks to infect systems with malware. In other words, the malware will install automatically once a browser is exposed to the exploit. Since it affects the newest version of Flash Player, the safest option is to disable it until Adobe releases an update that fixes the bug. Adobe plans to release an update at some time within the week after Tuesday, 2 February. 

(Update: Adobe has now released the auto-update to address the flaw CVE-2015-0313. It expects to release the update for manual download on February 5.)  

Attacks that have been observed are against systems running Internet Explorer and Firefox on Windows 8.1 and below.

The vulnerable version of Flash Player is 16.0.0.296 for Windows and Mac OS. Also affected are Flash Player 13.0.0.264 and earlier 13.x versions, and 11.2.202.440 and earlier versions for Linux.

The bug was reported by researchers at security firm Trend Micro, who believe the new exploit is being used by the Angler Exploit Kit. The same kit was behind attacks on a flaw that forced Adobe to release an unscheduled patch earlier this month.

According to Trend Micro threat analyst, Peter Pi, visitors to the video-sharing site Dailymotion were redirected to an attack site that hosted the malicious ads. The attack has been ongoing since at least January 14, however there was a spike on 27 January.  

“It is important to note that infection happens automatically, since advertisements are designed to load once a user visits a site. It is likely that this was not limited to the Dailymotion website alone, since the infection was triggered from the advertising platform and not the website content itself,” Pi noted.

Pi added that the malicious adds that it had analysed were currently not being displayed, however it had witnessed 3,294 infections and warned other attacks are likely using this exploit. 

Flash Player users should update the software or related plugin once Adobe releases the update. An exploit for one of the patched flaws (CVE-2015-0311) quickly made its way to other exploit kits and was used in an ad fraud campaign targeting users of a porn site.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Upcoming IT Security Events

Feb 3rd, Feb 4th, Feb 6th 2015

Join @NirZuk #PaloAltoNetworks for Breakfast (lunch in Auckland) on keeping your enterprise safe from risk. Cyber attacks continue to increase in volume and sophistication leaving traditional security practices completely ineffective. 

Register Today Seats are limited

March 3rd, March 5th, March 9th 2015

Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)