Trend Micro is reporting (see here) yet another Adobe Flash zero-day attack in the wild. Yes, this is a new one. No, this is not one I reported about last week. I had to read the article three times to convince myself this was not the exploit I wrote about last week. And, Trend Micro has already caught about 3,300 instances of this attack among their user base. Given their user base is huge, 3,300 is a small number, but there is not a fix for this yet. Adobe is promising one this week.
To say that 2015 has not started out well for Adobe would be kind. They released their normal Flash update in January that fixed 9 critical flaws. Then 9 days later, they released an out-of-band patch to fix a critical flaw that was being exploited. Last Saturday, they released another patch to fix a critical flaw and now they are saying they are going to release another patch this week. That would be 5 patch releases in the first 5 weeks of the year. Out-of-band patches are a huge pain for both developers and users, so software vendors like Adobe reserve them for critical problems.
This flaw is particularly nasty because, Trend Micro says, it is showing up in ads appearing on web pages and IT DOES NOT REQUIRE THE USER TO CLICK ON THE AD TO WORK.
Some people are suggesting you disable Flash, but that would make many web sites look like a blank page. I would suggest, at a minimum, that you make sure that you are using a highly rated anti virus product (apparently Trend Micro does catch this and it is pretty cheap – I saw a version of Trend the other day on Amazon for $25/year for 3 PCs or $8 a PC a year).
And, yes, watch for yet another Flash update this week on a computer near you.