June 24, 2015

Adobe Flash Player 0-day Abused In The Wild (CVE-2015-3113), Our Customers Protected

Carl Leonard Principal Security Analyst

Websense® Security Labs™ researchers are aware of a vulnerability within Adobe Flash Player, CVE-2015-3113.  Exploitation of  the vulnerability leads to a buffer overflow which can be abused by a malware author to execute arbitrary code on the compromised machine.  Adobe have deemed this vulnerability “critical”.

In the wild, exploitation of this vulnerability has been observed using our ThreatSeeker Intelligence Cloud.

Observed Behaviour In The Wild

Websense Security Labs have been tracking abuse of this 0-day in the wild since the start of June 2015. A typical threat lifecycle is followed from reconnaissance, lure, redirect, exploit, payload, call home.

Observed lure artefacts take the form of emails which contain a link to a website in the Ukrainian TLD space.  The email subject hints at a "2015 Program Kick Off" and the body references a meeting for which the recipient is invited to click a link to "find out more".

Observed target industries include the engineering and science sectors.


Microsoft Windows 8 users of Google Chrome and Internet Explorer should be automatically updated.
Adobe have advised users of Internet Explorer for Windows 7 and below, as well as users of Firefox on Windows XP, that those platform combinations are known targets.

More information on the vulnerability and affected version is available in Adobe's Security Bulletin APSB15-14.


Websense customers are protected against this threat via real-time analytics within ACE, the Websense Advanced Classification Engine,  at the following stages:

                Stage 2 (lure) - ACE has protection for the initial lure emails
                Stage 3 (redirect) - ACE has protection for the website used to direct end users to the payload

Further information on the 7 Stages of Advanced Attacks threat lifecycle model can be found here.


Adobe have released an update to various versions of Flash Player. Customers are encouraged to apply the latest version of Adobe Flash Player as soon as possible.  The latest  versions can be found here: https://get.adobe.com/flashplayer/

An alternative mitigation strategy would be to consider if disabling Flash Player is appropriate in your environment.

Websense Security Labs will continue to monitor this threat and will provide updates as appropriate.

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint X-Labs. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Labs teams. Focusing on protecting companies against the latest cyberattacks that...

Read more articles by Carl Leonard

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.