Adobe Flash Plagued by More Critical Zero-Days

In what seems like a recurring nightmare for Adobe, yet another zero-day vulnerability has been discovered recently. According to Adobe, “a critical vulnerability (CVE-2015-0311) exists in Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh,” and “successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.”

This vulnerability in particular was reported to be packaged into the Angler Exploit kit well before it was revealed by security researchers. This vulnerability is on the heels of another zero day exploit that was exposed just last week – CVE-2015-0310. Security researcher Brian Krebs has been advocating the use of EMET (enhanced mitigation experience toolkit) and recently Malwarebytes released an Anti-Exploit. Both of these applications help in preventing an exploit from “directly executing code from the stack, heap, and other non-code memory regions” and preventing an attacker from loading a module “at a predictable address” and expecting “that readable/writable memory will exist at a specific address on all PCs.”

It is yet to be seen if Adobe will release its own solution to add another layer of security against the increasing number of exploits on their software. The reality is that for every vulnerability a researcher finds, there are three in the wild that will be exploited in the next update cycle and only two would be patched.