Adobe has patched a zero-day vulnerability in its Flash Player software which was being actively exploited by criminals but the company has yet to address another zero-day flaw in the same software which is being used in the Angler Exploit Kit.
Earlier this week security researcher Kafeine revealed that a vulnerability in Flash was affecting people using Internet Explorer on Windows XP, Windows Vista, Windows 7 and Window 8 with the criminals using the Angler Exploit Kit to install the Bedep malware, which is used in ad-fraud campaigns.
Exploit kits are automated software tools that allow thieves to rig hacked websites to deploy malicious code which is most of the time downloaded without the victim's knowledge.
On Thursday Kafeine updated his blog to reveal the hackers had adapted the exploit kit to also attack users of the Firefox browser, meaning millions more people were vulnerable to attack.
The researcher also added that a fully-patched version of Internet Explorer 11 on Windows 8.1 was now also vulnerable, having previously been protected.
In an advisory also published on Thursday (22 January), Adobe announced an update to its Flash Player software which patched a vulnerability (CVE–2015–0310) that would allow hackers to "circumvent memory randomisation mitigations on the Windows platform". This is not the flaw which is being used by the Angler Exploit Kit.
A zero-day attack refers to a flaw in the software which is unknown to the manufacturers. This security hole is then exploited by hackers before the vendor becomes aware and rushes to fix it - meaning they have zero days to fix it before it is exploited.
Adobe said however that it was aware of this issue and would issue a patch next week.
"We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 and below. Adobe expects to have a patch available for CVE–2015–0311 during the week of January 26."
Wanting of the dangers of integrating this vulnerability into the Angler Exploit Kit, Pedro Bustamante from Malwarebytes said:
"The zero-day vulnerability in Flash Player, as discovered by Kafeine, could provide a big security risk for Internet users, effectively opening an unguarded window onto PCs worldwide. The fact that it has seemingly been integrated into the Angler Exploit Kit shows that criminals are keen to use it to target people and businesses en-masse.
"Using a delivery mechanism such as Angler increases the chance of successful infections, allowing for accurate attacks through infected adverts on high traffic websites."
Richard Cassidy from Alert Logic says that exploit kits are an attractive tool for criminals, particularly those without a huge amount of technical expertise:
"From an attacker perspective exploit kits make the task of gaining access to a user's system through web based exploitable vulnerabilities very easy indeed, you simply don't need a great deal of security to technical expertise to effectively use them and can gain access to compromise systems in a very short period of time."