Adobe on Monday issued a security warning for the third zero-day vulnerability in its Shockwave Flash Player within a month. The vulnerability can possibly cause crashes and allow attackers to take control of the affected system as well.
The company said that it is aware of the situation and will release a patch during this week. Adobe classifies this vulnerability as 'critical' and noted that the Flash Player 22.214.171.1246 and earlier versions for Windows and Macintosh, Flash Player 126.96.36.1994 and earlier 13.x versions, and Flash Player 188.8.131.520 and earlier versions for Linux are affected by the vulnerability. The vulnerability has been listed as CVE-2015-0313 in the Common Vulnerabilities and Exposures database.
Adobe acknowledged Microsoft researchers and TrendMicro for the reporting the bug, and points to a link on the latter's site that suggests the bug is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.
"A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player 184.108.40.2066 and earlier versions for Windows and Macintosh. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system," noted company in Security Bulletin on Monday.
TrendMicro noted that the team had monitored this attack since January 14 and the initial analysis suggests that "this might have been executed through the use of the Angler Exploit Kit, due to similarities in obfuscation techniques and infection chains."
"According to our data, visitors of the popular site dailymotion.com were redirected to a series of sites that eventually led to the URL hxxp://www.retilio.com/skillt.swf, where the exploit itself was hosted," notes the report.
Notably, the infection happens automatically, and since advertisements on Dailymotion are designed to get loaded by the advertising website, it is likely that this infection was not limited to the Dailymotion website alone. TrendMicro has so far seen around 3,294 hits related to the exploit, and advise users to disable the affected versions of Flash Players until a fixed version is released.
Adobe in the past few weeks also released (via Computerworld) Flash Player updates (Flash Player 220.127.116.117 and 18.104.22.1686) to fix two other critical zero-day vulnerabilities that were already being exploited for malvertising. The two vulnerabilities, CVE-2015-0310 and CVE-2015-0311, were also found to be integrated into the Angler Exploit Kit.