Adobe Begins Patching Third Flash Player Zero Day

Adobe announced today that it will begin distributing a patch for the third and most recent zero-day vulnerability in Flash Player.

Version 16.0.0.305 will be distributed to users who have enabled auto-update. Adobe said it expects to have a manual update available tomorrow.

“We are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11,” Adobe said in its advisory.

The new version addresses a use after free vulnerability, CVE-2015-0313, that is currently under attack. Exploits were folded into the Hanjuan Exploit Kit, according to researchers at Trustwave’s SpiderLab.

Researchers surmise that there is likely a connection between the three zero days, the second of which was used in the Angler Exploit Kit; that vulnerability was patched last week. Both exploits use similar heap spray techniques to exploit vulnerable browsers.

Adobe on Monday posted an advisory on CVE-2015-0313, and said it was being exploited in drive-by downloads and malvertising attacks. Some big sites were delivering malicious ads redirecting to the exploits, including DailyMotion, Wowhead, Answers.com, and Engage:BDR, among others. Adobe said attackers’ exploits were targeting Windows 8.1 computers and below running Internet Explorer or Firefox.

French exploit kit researcher Kafeine said the developer of this exploit and the one in Angler could be linked. Hanjuan, meanwhile, is a relatively quiet exploit kit with strong filtering that allows it to elude researchers using virtual machines to study samples.

Trustwave, meanwhile, said the vulnerability is a use-after free bug, which is caused by a vulnerability in the way Flash handles a fast memory access feature used by processes that support multithreading in Flash.

“Such a condition is a security risk and is usually classified as a use-after-free vulnerability. Using the reference to a freed memory area, it is possible to use/access the heap memory block directly,” Trustwave said. “The exploit uses heap spraying to fill this freed memory with Vector Objects and corrupt the size of a given vector setting it to a very large size. This corrupted Vector will later be used to access the entire memory of the browser process and to gain code execution over the machine.”