The vulnerability was discovered and reported by security researcher Kafeine.
The vulnerability was used in attacks against older versions of Flash Player.
Angler EK.
Vulnerability details
Advisory: SB2015011401 - Security bypass in Adobe Flash Player
Vulnerable component: Adobe Flash Player
CVE-ID: CVE-2015-0310
CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N/E:H/RL:O/RC:C
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
Description:
The vulnerability allows a remote attacker to circumvent memory address randomization on the target system.
The weakness exists due to memory leak error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption, bypass memory address randomization on the Windows platform and obtain sensitive information.
Note: the vulnerability was being actively exploited.
External links:
https://helpx.adobe.com/security/products/flash-player/apsb15-02.html
https://ae.norton.com/security_response/writeup.jsp?docid=2015-021009-2659-99
https://www.beyondtrust.com/blog/adobe-patches-zero-day-flaw-being-exploited-in-the-wild/
https://www.intego.com/mac-security-blog/flash-player-0day-vulnerability-jolts-rushed-update/
http://www.pcworld.com/article/2874172/adobe-fixes-just-one-of-two-actively-exploited-zeroday-vulner...
http://www.eweek.com/security/new-zero-day-exploit-adds-to-adobe-flash-security-woes.html