January 21, 2015

Flash 0-day being distributed by Angler Exploit Kit

Nicholas Griffin Security Researcher

Websense is aware of a new zero-day vulnerability in Adobe Flash Player, which has been seen exploited in-the-wild by the Angler Exploit Kit. The exploit, as reported by security researcher Kafeine, is known to affect the latest version of Flash Player and has been seen dropping a trojan downloader called Bedep.

Websense customers were already protected against this threat with ACE, our Advanced Classification Engine, at the different stages of the attack detailed below:

  • Stage 3 (Redirect) – ACE has detection for the redirect to the exploit kit landing page.
  • Stage 4 (Exploit Kit) – ACE has detection for the exploit kit landing pages, as well as the Flash Player exploit itself.
  • Stage 6 (Call Home) – ACE detects the communication to the C&C points associated with the Bedep trojan downloader.

[UPDATE] 23 January 2015

Adobe released an update to Flash Player on 22 January 2015 although it does not patch the issue discussed in this blog.

In a further announcement Adobe are hoping to patch CVE-2015-0311 (the vulnerability discussed in this blog and by Adobe here) on 26 January 2015.


The Adobe Flash Player samples that exploit this vulnerability have been shared with Websense, and protection for these malicious files are in place. Adobe have been made aware of this issue and are currently investigating. At the present time, it is not possible to disclose further information regarding specific details of this threat.


Currently, it is known that Angler Exploit Kit is exploiting this Flash Player vulnerability. As we have mentioned previously, it is becoming a growing trend for exploit kits to drop Java, Internet Explorer, and PDF exploits in favor of the more successful Flash and Silverlight exploits.  Utilizing vulnerabilities in these popular applications provides attackers with a large surface area of vulnerable clients. Due to the nature of exploit kits, Websense technology is able to target the threat at multiple stages and ensure that protection remains in place independent of the exploits used.


At the present time, Adobe have yet to release a patch for Adobe Flash Player.  One persistent solution, for the time being, is to disable Flash Player in your browser until such time as a patch becomes available.

Websense Security Labs will continue to investigate this issue as more information becomes available.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.