Less than five weeks into the new year, 2015 is already shaping up as one of the most perilous years for users of Adobe Flash, with active exploits against three separate zero-day vulnerabilities, one of which still wasn’t fully patched as this post went live.
The latest attacks are hitting unsuspecting targets through drive-by downloads served through ads on dailymotion.com, theblaze.com, nydailynews.com, tagged.com, webmail.earthlink.net, and other sites, according to research from Malwarebytes. And while the vulnerability wasn’t disclosed until this week, the exploits have been active and in the wild since December 3, Malwarebytes found.
While the attacks target Windows users running Flash in a Firefox or Internet Explorer browser, the underlying CVE-2015-0313 security bug is present in Flash for Macs and Linux machines as well. On late Wednesday, Adobe began distributing a fix to users who have opted to receive automatic updates. In the meantime, readers should consider disabling Flash altogether, or at the very least, using Flash inside Google Chrome, the browser many security experts say provides the most comprehensive anti-exploit protections. Attacks exploiting CVE-2015-0313 are unable to escape the Chrome security sandbox, research from Trend Micro found.