On Monday, Adobe Flash Player users were hit by a zero-day flaw for the third time in two weeks.
The company issued a security advisory for the vulnerability, which it dubbed CVE-2015-0313.
The flaw exists in Flash Player 18.104.22.1686 and earlier versions on Windows and Macintosh platforms. Successful exploitation could crash the desktop and potentially let hackers take control of it, Adobe warned.
The vulnerability is being actively used in drive-by download attacks through Internet Explorer and Firefox on Windows 8.1 and earlier, Adobe said.
The earlier two vulnerabilities have already been patched.
“Given the relative ubiquity and cross-platform reach of many of our products, [they] have attracted increasing attention from attackers,” Adobe spokesperson Heather Edell told TechNewsWorld.
“As always, we take what we learn from each incident and apply it to our efforts moving forward,” she added.
Who Got Hit and How
The CVE-2015-0313 attack consists of malvertising — ads that redirect victims to malicious sites.
In this case, victims were redirected to the HanJuan exploit kit through the delivery.first-impression.com ad network, according to Malwarebytes.
The malicious ad won a bidding process to get displayed for about 93 US cents per impression.
Keeping Pace With Hackers
Adobe has a patch cycle of about five days, Edell said, adding that it “recently hit a record releasing a patch in 36 hours.” Back in 2009, its patch cycle was 10 weeks.
Adobe had to issue two emergency updates in one week in January to fix critical security flaws in Flash Player that were exploited by hackers.
Back in November, Adobe issued two security updates for Flash Player, according to Krebs on Security. One strengthened a patch issued in October for the flaw CVE-2014-8439.
“Over the last five years in particular, we have increased the investment in our security efforts with focused initiatives, faster response times, and improved communication to customers and stakeholders,” Edell pointed out.
No End in Sight
The latest spate of breaches may have its roots in a breach of Adobe’s network back in 2013, suggested Eric Cowperthwaite, vice president, advanced security and strategy, at Core Security.
“Over the course of a couple of weeks, we found out that the bad guys had managed to steal well over 3 million credit cards, 38 million active, production ID/password combos, and source code,” Cowperthwaite told TechNewsWorld.
“At the time, I said that the last part was the worst part of the breach, although the focus was on the credit cards, since that is where everyone sees immediate impact,” Cowperthwaite continued. “I think what we’re seeing now is the fruit of [that] breach.”
Expect the problem to continue because “there are bad guys out there who can research Adobe code at their leisure, find problems in it, exploit it with a zero-day [attack] and there’s pretty [much] nothing that Adobe can do except patch after the fact,” Cowperthwaite predicted.
The best thing users can do from a security perspective is “to understand where your Adobe products are in your network, what sorts of attack pathways are enabled if those products are exploited, and what critical assets are put at risk,” Cowperthwaite recommended.
The recurring problems with Flash have led to the establishment of Occupy Flash,” an organization that seeks to get people to uninstall the Flash Player plugin from their desktop browsers.
Disabling Flash will degrade the user experience at various sites, including Google Analytics, Occupy Flash said.
However, many sites are supporting HTML5 for tasks that once required Flash. For example, YouTube offers an HTML5 video player that users can request by going to https://www.youtube.com/html5.
Adobe itself has announced that Flash Player 11.1 would be the last version of that software for mobile devices, and has abandoned Flash on connected TVs, although the company will continue to develop and support the package on desktops.