For the third time in two weeks, Adobe has issued an emergency security update for its Flash Player software to fix a dangerous zero-day vulnerability that hackers already are exploiting to launch drive-by download attacks.
The newest update, version 184.108.40.2065, addresses a critical security bug (CVE-2015-0313) present in the version of Flash that Adobe released on Jan. 27 (v. 220.127.116.116). Adobe said it is are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.
Adobe’s advisory credits both Trend Micro and Microsoft with reporting this bug. Trend Micro published a blog post three days ago warning that the flaw was being used in malvertising attacks – booby-trapped ads uploaded by criminals to online ad networks. Trend also published a more in-depth post examining this flaw’s use in the Hanjuan Exploit Kit, a crimeware package made to be stitched into hacked Web sites and foist malware on visitors via browser plug-in flaws like this one.