First, as reported by SC, security researcher ‘Kafeine' discovered that black hats were using the 'Angler' exploit kit to mount attacks on Flash Player through a previously undiscovered bug (CVE-2015-3011).
But inside 24 hours, Adobe admitted that a second zero-day (CVE-2015-0310) was also being used in attacks in the wild.
In a 22 January advisory, the company said this bug “could be used to circumvent memory randomisation mitigations on the Windows platform”, and that it was being “used in attacks against older versions of Flash Player”.
Adobe immediately issued an ‘out-of-band' patch for this problem, covering Flash Player on Windows, Macintosh and Linux.
The versions patched are Flash Player 220.127.116.117 and earlier, 18.104.22.1680 and earlier 13.x versions, and 22.214.171.1249 and earlier versions for Linux.
But the company has still not been able to fix the zero-day found by Kafeine.
In a separate advisory, it has promised to patch this problem by 30 January at the latest – giving black hats a few more days to exploit the weakness.
Adobe said: “We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 and below. Adobe expects to have a patch available for CVE-2015-0311 during the week of January 26.”
Malwarebytes senior security researcher Jérôme Segura said in a 21 January blog that this remaining bug is primarily being used for ad fraud.
And he pointed out: “Flash has been plagued with critical vulnerabilities in the past few months and has surpassed the no-longer-popular Java as the most exploited plugin.”
Commenting on the bugs, Logical Step CISO Scott MacKenzie agreed that Adobe is being targeted, but said the company should also get credit for its fast reaction.
He told SCMagazineUK.com via email: “Adobe Flash and Reader are installed on the majority of users' desktops worldwide, as a result these products are closely scrutinised by attackers and security researchers as potential ingress points.
“Adobe is very much where Microsoft was in the late 1990s and early 2000s due to their near ubiquitous desktop install base. Microsoft started taking the security of their code and infrastructure seriously and their systems became more stable and secure. Adobe needs to follow Microsoft's example with respect to security.”
But MacKenzie added: “In this instance, Adobe should be commended for their rapid reaction to the vulnerabilities found and the prompt release of their patches.”
Meanwhile Check Point UK MD Keith Bird told SCMagazineUK.com via email: “Targeting vulnerabilities is a numbers game - attackers will go for popular plug-ins like Flash simply because it's so widespread.
“It's good that Adobe has responded quickly to this issue, but it will still take time for individuals and companies to bring their systems up-to-date.
“As more zero-day exploits are launched, it highlights the need for threat emulation, or sandboxing technology, to stop these attacks that would otherwise bypass conventional anti-malware techniques."
Mark James, security specialist at ESET, told SC via email: “Flash is used by so many browsers on almost all operating systems, the potential to infect the masses is huge.”
But he advised: “As with a lot of these exploits, using the latest operating system can often help in protecting the end user. Always ensure you are running the very latest version of Flash and keep a close eye for any updates and install them immediately.”