Over the weekend, our Trend Micro researchers have discovered a new, unpatched vulnerability affecting Adobe Flash. This new vulnerability puts all users of the current version of Adobe Flash at risk.
Our researchers have found that this attack dates back to at least January 14, 2015, but that attacks took a turn for the worse starting on January 27, 2015. We recently notified Adobe of this issue.
This is a situation nearly identical to the situation we wrote about last weekend in “New “Zero-day” in Adobe Flash: What You Need to Know”. Just like that situation, the attacks are being carried out through compromised online advertisements (a technique sometimes called “malvertising”).
Based on data from the Trend Micro™ Smart Protection Network™, we’ve seen 3,294 hits of a known, compromised site. These latest attacks appear so far to be primarily affecting users in the United States.
While Adobe provided an update for the vulnerability we discussed last week, they don’t currently have a patch for this latest vulnerability that our researchers found. We are in direct contact with Adobe and are working closely with them on this situation. They have been very responsive and are working hard on a patch to fix this. They have told us that they expect to release a patch for this problem sometime this week.
Trend Micro customers who are using Trend Micro Security, OfficeScan, Worry-Free Business Security and Deep Discovery are already protected from the attacks we’ve seen.
If you’re not a Trend Micro customer using these products, you should consider disabling Adobe Flash until a patch is available.
We will update this posting when that patch is released.
Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.