Adobe updated Flash Player to address a Zero Day vulnerability and a critical security hole that could lead to remote code execution.
Adobe started distributing the update, version 18.104.22.1686, over the weekend via the auto-update mechanism in Flash Player. In addition, Adobe sent out a standalone installer Tuesday.
This out-of-band update fixed a use-after-free vulnerability (CVE-2015-0311) already undergoing attacks. Along with that, Adobe also patched a double-free flaw that can end up exploited for remote code execution (CVE-2015-0312). CVE-2015-0312 came to Adobe via a researcher using the online moniker “bilou” via the Chromium Vulnerability Rewards Program.
Adobe advises Windows and Mac users to update their Flash Player installations to version 22.214.171.1246. The Adobe Flash Player Extended Support Release should update to 126.96.36.1994. The latest variant of Flash Player for Linux is 188.8.131.520.
With the release of OS X Yosemite 10.10.2, Apple blocked all Flash Player plugins prior to versions 184.108.40.2066 and 220.127.116.114.
CVE-2015-0311 first came to light from French researcher Kafeine while analyzing an instance of the Angler exploit kit. This vulnerability and CVE-2015-0310, which Adobe fixed last week with an emergency patch, are falling victim to attackers using the Bedep malware.
Initially, researchers thought CVE-2015-0311 was only in the Angler exploit kit, but researchers later found attackers were using it in malvertising campaigns targeting adult websites.