Zero-day bug: Is your PC safe?

Security researcher Kafeine revealed vulnerabilities in Flash. (Supplied)

More alerts are being issued about the continuing threat of zero day vulnerability in Adobe’s Flash player software that has affected not just the Internet Explorer but expanded to Firefox as well.

This is despite Adobe announcing a fix to one such vulnerability through a latest update.

Last week security researcher Kafeine revealed vulnerabilities in Flash especially affecting those using Internet Explorer on Windows XP, Windows Vista, Windows 7 and Window 8. He has now updated his list by adding Firefox as well.

Symantec too issued an alert stating that the zero-day bug is reported to affect the latest versions of Adobe Flash Player and has been seen in some versions of the Angler exploit kit. “Symantec regards this vulnerability as critical because Adobe Flash Player is widely used and the flaw allows an attacker to effectively compromise a computer, which then allows for the unauthorized installation of malware.”

Now Trend Micro too has issued a similar alert stating that one of the samples obtained by its Smart Protection Network show that it's the same zero-day exploit that security researcher Kafeine had reported.

Trend Micro in its statement has noted that based on attacks seen so far, the installed malware’s main function is to perform ad fraud against ad networks.

Most of this vulnerability’s victims it says come from the US (84%) with a handful coming from Australia and Taiwan (9% and 5% respectively).

“Vulnerabilities are found all the time. But usually vulnerabilities are fixed with a patch when they’re found, before attackers can target them. As long as you keep your system up-to-date, you’re protected against most vulnerability. What makes this situation serious is that researchers, including our TrendLabs researchers, have discovered that attackers found this vulnerability first and have been attacking it before a patch is available: this kind of situation is called a “zero-day” situation, because defenders have “zero days” to protect against attacks. This means even if you keep your system up-to-date, you’re still at risk of attack until Adobe releases a patch,” commented Christopher Budd, global threat communications manager with Trend Micro.

Symantec on its part has advised that users who are concerned about this issue can temporarily disable Adobe Flash by going to the browser’s settings.

Adobe meanwhile published an update and said it has fixed one of the vulnerabilities and would soon update with a fix for others as well.

In a statement it said, “A Security Advisory (APSA15-01) has been published regarding a critical vulnerability (CVE-2015-0311) in Adobe Flash Player 16.0.0.287 and earlier versions for Windows, Macintosh and Linux.  We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 Windows 8.1 and below.”

In a further update on January 24 it said that users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11.

 

Print Email