Flash zero-day vulnerability patched
Adobe says it will fix a third critical vulnerability in its Flash Player after it was revealed hackers are exploiting it to carry out a malvertising campaign on the Dailymotion websiteReuters

A third vulnerability in Adode's Flash Player has been discovered since the beginning of the year, and is being actively used to attack visitors to the popular video-sharing website Dailymotion.

The revelation comes after two other vulnerabilities in the much maligned piece of software were revealed in January with hackers actively exploiting the flaws using the Angler Exploit Kit to install malware on the victims' systems.

This week Adobe said confirmed a "critical vulnerability" exists in its Flash Player software - version 16.0.0.296 (and earlier) - which affects Windows, Mac and Linux systems.

According to security company Trend Micro, which has been monitoring the vulnerability since 14 January, hackers are actively exploiting it to carry out malvertising campaigns, with visitors to Dailymotion.com redirected through a series of other websites until landing on the URL where the exploit was hosted.

Trend Micro added that as with most malvertising campaigns, the problem does not lie with the website itself, but with the adverts being hosted on the website:

"It is important to note that infection happens automatically, since advertisements are designed to load once a user visits a site. It is likely that this was not limited to the Dailymotion website alone, since the infection was triggered from the advertising platform and not the website content itself."

Dailymotion has however denied that the problem impacted its users, saying that "none of its users have been affected by a recent Flash vulnerability in its advertising platforms. Dailymotion monitors the quality of ads delivered on its website through the robust technology of its advertising partners, as well as through partnerships with specialised third-party services."

Disable Flash

The company saw a spike in visits to the malicious URL on 27 January and said that most of the people affected were in the United States.

Trend Micro advises that "since the exploit affects the latest version of Flash, users may consider disabling Flash Player until a fixed version is released."

Adobe said that successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

The company said it was aware this vulnerability is being "actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below."

A patch for the vulnerability is currently in the works, with Adobe saying it would issue the fix at some point this week, but wouldn't give a more specific timeline.