14 DAY TRIAL // Adobe has started to push to some of its users a new version of Flash Player that eliminates the zero-day vulnerability exploited in the wild by Angler web-based attack tool.
Tracked as CVE-2015-0311, the glitch was spotted at the beginning of the week by French security researcher Kafeine, who discovered that it was leveraged for the delivery of the Bedep malware, for ad fraud purposes.
Last week, Adobe rolled out another Flash Player security update, 16.0.0.287, many believing that it would fix the problem. However, the repairs in that build focused on another zero-day, identified as CVE-2015-0310, also exploited by Angler malicious toolkit.
The tests carried out by the security researcher revealed that CVE-2015-0311 targeted all versions of Flash Player included in any version of Internet Explorer and Mozilla Firefox, on any version of Windows operating system; in the case of Google Chrome users, the exploit was not triggered.
Adobe announced that it investigated the matter and that it was working on solving the issue. The company finished the patch and it is present in Flash Player 16.0.0.296, which at the moment is being sent to all users that have enabled the auto-update feature for the desktop runtime version of the product.
Currently, no manual download is available, but the package is expected to appear during the week of January 26.
In the security advisory published on Saturday, Adobe also says that it is working with distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11.
The new Flash Player will be available in the two web browsers without user intervention, through the automatic updates mechanisms of the products.
[UPDATE]: Adobe made available the download for the desktop runtime version of Flash Player 16.0.0.296 for Windows and Mac.
