Adobe Systems launched the distribution of an update to fix the latest security flaw in the company's Flash software, which is already being abused for malicious advertising attacks.
The update repairs a zero-day exploit named CVE-2015-0313 which can be used by hackers to take over the complete control of the system of the target user. The vulnerability can be found in all supported platforms of the Flash Player, including computers running on Windows, Mac OS X and Linux.
Users that have enabled the auto-update feature of the Flash Player desktop software will soon be receiving the repaired release of Flash, namely version 188.8.131.525. An update that users can apply manually will be released by Feb. 5, Adobe added.
For the auto-update feature found in Internet browsers, Adobe was less specific with the timetable and only said that the company is currently working with its distribution partners to roll out the security patch to the Flash Player for Internet Explorer 10, Internet Explorer 11 and Google Chrome.
Security researchers from Microsoft and Trend Micro discovered the vulnerability after the researchers saw certain attacks abusing the exploit. According to Trend Micro, code which took advantage of the exploit was discovered in the Angler exploit kit that is utilized by hackers.
Trend Micro discovered that a malicious advertisement that was uploaded to the video streaming website Dailymotion utilizing exploit, redirecting users to pages that hosted the Angler exploit kit. The computers of the victims were then attacked by the Angler exploit.
Another exploit kit, the Hanjuan kit, is also thought to be abusing the vulnerability in the Flash Player.
Websites are usually not aware of any malicious advertisements that may have been uploaded to them. Online advertising companies are tasked with the distribution of the material, and for several reasons, the malicious content of the advertisements are not detected.
Adobe Flash has been struggling lately. Within the past few weeks, the company had to release two fixes for other zero-day exploits, both of which were also incorporated into the Angler exploit kit.
The widespread distribution of information regarding zero-day exploits is made possible through exploit kits such as Angler, which are sold through underground online forums. Hackers, in exchange for paying subscription fees, receive exploit kits that contain codes that can be readily plugged into content such as compromised websites and banner advertisements.
Users can protect themselves from these exploit kits by making sure that they are always running the latest, most secure version of their software. For Adobe Flash, users are suggested to check if they have the latest version already installed.