Gone In A Flash: 3 Adobe Exploits (And Counting) Already in 2015

Bad news for Adobe, as well as for gamers who play online games in web browsers, tablets, smartphones, and even consoles.

According to a post that appeared today on Malwarebytes Official Security Blog: 

A new Adobe Flash zero-day, the third one this year so far, has been found in the wild via drive-by download attacks, according to firm TrendMicro.

According to our telemetry, Malwarebytes Anti-Exploit has been blocking this zero-day since December 3rd, 2014.

Adobe released a security advisory and assigned the vulnerability as CVE-2015-0313 and rated it critical.

The post went on to detail the attack vector as well as popular sites that the exploit seems to be focusing on, including (but not necessarily limited to): dailymotion.com, theblaze.com, nydailynews.com, webmail.earthlink.net, and mail.twc.com

What Malwarebytes did not talk about however, is something much, much closer to home for players and publishers of online games, namely that while Flash is an “old skool” technology that will eventually be phased out by newer solutions (just this month, for example, YouTube announced they’d be “ditching Flash for HTML5 as their default player“), it’s a core web technology that’s still extremely popular for the delivery of online games.

According to stats offered up on Adobe’s official Flash gaming product site:

“Flash delivers stunning, console-quality games that reach more than 1.3 billion computers and over 500 million phones and tablets.” (emphasis mine)

That’s a lot of opportunity for the bad guys, so be sure to update as soon as humanly possible.

Matthew Cook (@PanopticonMatt)

05 February, 2015