A security researcher has discovered a new zero-day vulnerability targeting Adobe's Flash Player software which attackers have already built into the popular Angler exploit kit.
Security researcher Kafeine today noted that one variant of Angler launched three "bullets", or payloads, to exploit flaws in Flash Player - two of which were known, but one which was a fresh attack.
As with previous payloads, the new zero-day in Angler deploys the Bedep distribution botnet on vulnerable systems.
Bedep can load a range of payloads of malicious software on infected machines, including denial of service and remote access programs.
The sites in question are often legitimate ones, but once infected serve up malicious advertisements unknowingly - so-called malvertising.
While refusing to disclose details of the Flash flaw ahead of an Adobe patch expected in the coming days, Kafeine said Windows XP running Internet Explorer versions 6 to 9 were vulnerable, as was the latest version of Flash Player, 18.104.22.1687.
Windows 7 with Internet Explorer 8 and Flash Player 22.214.171.124 as well as Windows 8, IE 10 and Flash Player 126.96.36.199 are also vulnerable.
Tests conducted by Kafeine showed that Windows 8.1 fully updated is safe from the exploit. Angler does not fire the payloads on Google's Chrome web browser, according to Kafeine's testing.
Kafeine suggested users should disable Adobe Flash Player for a few days while awaiting a patch.
Director of special projects at security vendor Malwarebytes, Pedro Bustamente, warned that the new vulnerability could be a big security risk for internet users as it allowed attackers entry to their systems.
Bustamente said the fact that it had been integrated into the Angler kit showed that criminals were keen to use the flaw to target businesses and individuals en masse.
“The danger of any zero-day is that there is no patch in existence, so I would recommend caution by web users until a confirmation and update is issued. We would also urge people to update security software,” Bustamente said.
Adobe last patched Flash Player on January 14.