Flash Player Zero-Day Vulnerability Found in Angler Exploit Kit


Adobe are analysing a zero-day vulnerability that has been located in the Angler exploit kit. The exploit kit, used by cyber criminals to distribute malware and hack systems, features a wealth of tools and vulnerabilities that are both known and unknown.

A French security researcher analysing the tool kit is said to have located the zero-day vulnerability present in Adobe Flash Player that has been packaged up as part of the offering. This is not a rarity with these type of explot kits, that often pick on Adobe and Flash type products that are inherently insecure. The difference in this case is that the use of zero-days is rare in these types of kit.

Adobe has not responded to confirm or deny these reports, however, the French security researcher that is analysing the kit has confirmed that the zero-day exploit is not available in all versions of Angler and seems to be part of an enhanced package. From analysing the exploit, the French researcher was able to replicate the vulnerability into the latest Flash Player version in IE versions 6-8 on Windows XP and Windows 7. These vulnerability seems to work on multiple IE and Windows version, however, will not impact Windows 8 or Chrome, as suspected.

Researchers have stated that disabling Flash player is a good idea until Adobe are able to respond or produce a suitable patch. Other researchers have stated that the Angler strain aims to leverage the vulnerability to install malware variants known as Bedep. Bedep, and other variants, are distributed botnets that can distribute malware across all hosts.

Vulnerabilities in Adobe products are not new, there have been numerous reports of Flash vulnerabilities in the past and it has been a common attack vector for years (see our article on Adobe releasing patches for Shockwave). Adobe have, in the past, been quite good with identifying these and providing patches on a regular basis. Many of those that utilize Flash with Internet Explorer as their browser of choice will be hoping this is no different..

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Recommended for you

Leave a Reply

Your email address will not be published. Required fields are marked *