Skip to content
Naked Security Naked Security

Adobe issues emergency fix for Flash zero-day

Crooks are reportedly using a new Flash vulnerability called CVE-2015-0310. Adobe has a fix already, so grab it while it's hot!

Adobe has published an emergency Flash update to protect against a “zero day” exploit.

An attack is known as a zero-day if the crooks start using it before a patch is available.

It’s a curious name, but it is meant to reflect the fact that there were zero days on which you could possibly have been patched before the exploit became known.

A second zero-day, denoted CVE-2015-0311, was mentioned by Adobe in a separate advisory, but no patch is yet available.

According to independent malware researcher Kafeine, this hole seems to be exploitable at least inside Firefox and Internet Explorer, right up to IE 11 on Windows 8.1.

Adobe’s advisory says that it “expects to have a patch available for CVE-2015-0311 during the week of January 26.”

There are two important, somewhat paradoxical things to remember when situations like this arise:

Even if you are unpatched, good “defence-in-depth” malware prevention can stop you getting infected.

That’s because the crooks generally need to get you through a sequence of “insecurity hoops”, including triggering the exploit, to leave you infected.

There’s often all this and more:

  • An HTTP request to a compromised web server.
  • Some obfuscated page content sent back to used to decide which attack vector to try.
  • The exploit itself.
  • The delivery of shellcode (a sort of partial in-memory program) to control the malware download.
  • An HTTP request to fetch the final malware.
  • The delivery and launch of the final malware.

A combination of web URL filtering, web content scanning, anti-virus detection and a Host Intrusion Prevention System (HIPS) can often defeat the attack by disrupting any one of these stages.

Even if you apply a patch, the same crooks may have other ways to infect you.

That’s because so-called exploit kits, used by crooks to infect you when you visit their dodgy websites, typically try a number of different attacks before giving up.

For example, the Angler exploit kit, reportedly being used to carry out zero-day attacks using the as-yet-unpatched exploit, has been associated with many other exploits, including CVE-2013-0074, CVE-2013-3896, CVE-2013-0634, CVE-2013-2465, CVE-2013-5329, CVE-2014-0322, and CVE-2014-0497.

What to do

Here are some tips:

  • Apply the APSB15-02 patch promptly. Even when there are other doors still left open, you may as well close every door you know about as quickly as you can.
  • Consider uninstalling the Flash player if you don’t need it. As this exploit shows, one vulnerability in Flash can affect multiple browsers and operating systems.
  • If you really do use Flash, use “Ask” or “Ask to Activate” mode. This helps you restrict Flash to sites where you know you need it, so an unknown, hacked site will not be able to run malicious Flash in your browser invisibly.
  • Turn on HIPS if your anti-virus supports it. Host Intrusion Prevention Systems that monitor system behaviour while you browse will often detect exploit-like behaviour proactively, even if the details of the exploit are not yet known.

Note. Although the crooks can, and do, change their malware payloads at any time, the attacks currently [2015-01-23T09:30Z] associated with these zero-day threats seem to be a malware family called Troj/Bedep by Sophos products, delivered by an exploit kit component from the family Troj/SwfExp. The Angler exploit kit mentioned above is variously detected using the family names Mal/ExpJS and Troj/JSRedir.


Is there any news from a Sophos perspective on the critical vulnerability CVE-2015-0311?


Aaargh! I misread the numbers in the advisory to be the same as the CVE fixed in the patch :-)

I’ll sort this out now. My apologies…


I think I have de-confused myself now. I can see why you were perplexed by my hyperlink from the text “CVE-2015-0310” to Adobe’s note about “the unpatched CVE-2015-0311.”

Once we have clear details about -0311 and any updated info from Adobe, we’ll probably write it up separately.

I’m really sorry about that.

My little postscript saying “well done Adobe, for patching on the same day as the advisory” must have seemed completely weird. As you can see, I’ve deleted that bit now :-)

Thanks for catching that so quickly.


The patch mentioned by Adobe to be made available during the week of the 26th of January is to resolve the remaining zero day flaw now named CVE-2015-0311.

APSB15-02 addresses CVE-2015-0310



Is Chrome, and its built in PepperFlash vulnerable?


That’s not certain, but in the Kafeine report linked to above, he only tested on Windows and suggests that the attacks in the wild didn’t work against Chrome. Doesn’t mean it isn’t vulnerable, but doesn’t sound as though it’s being exploited right now.


I have updated Flash to the latest version, will this do? Thanks


Hi Nozzy,

Updating to as you have done is a really good way to reduce the chance of any malware infection occurring. If you are using Firefox or Chrome and make use of Flash a lot you might also consider setting Flash as Click to Play as Paul points out. Paul’s other recommendations may also help you.

However until Adobe patches the remaining flaw next week, we are all in some way vulnerable. Paul’s recommendations are thorough and will reduce the risk as much as possible.

I hope this helps. Thank you.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!