Adobe Flash Zero-Day Flaws Discovered, Patching In Progress
Adobe Flash users (which is almost everyone these days) especially those on older versions of Windows OS need to be very careful, according to IT experts on account of several vulnerabilities present in Adobe Flash.
Adobe has confirmed that they are actively working on resolving these “zero-day” vulnerabilities and have even released a patch which fixes one of the problems while the other one, APSA15-01 or CVE-2015-0311 still remains and has yet to be patched.
Through these vulnerabilities, drive-by download attacks can be launched on users on Windows 8 or below which allow the attacker to take control of the affected system. Another way in which the attackers can disrupt the online experience of others is by loading fake advertisements into the web browsers of affected users.
According to Karl Sigler, Threat Intelligence Manager of cybersecurity firm Trustwave, users should be extremely cautious of links sent in untrusted emails and documents. Businesses should use gateway technologies to detect and block malware in real-time.
Since such attacks almost always require users to first open up a malicious website, the best way to be safe from them is not to open a suspicious link at all until the issues get patched by Adobe.
The attack itself was three-pronged. It used an Angler exploit kit website and the Adobe Flash vulnerability to install a malware called Bedep in systems.
“Bedep . . . can load fraudulent ads in your browser or download other malware like Cryptolocker,” Trustwave noted. “Criminals are targeting users who have vulnerable browsers. Even if users reboot their computer, the malware will stay installed.”
As attackers are becoming more and more advanced and skilled with time, companies and individuals are having a hard time coping with it and staying ahead of the curve to avoid such attacks. This is probably also the reason why average spending on security software increased last year.
According to Trustwave, in order to be fully secure from such attacks, companies need to have sufficient IT staff which is not only well-trained but is also provided with proper resources, something which the companies are not doing right now as is evident by the underutilization of investment for software security ($33 out of every $115 is spent on security).