Adobe Flash Player isn’t exactly the most secure software around the world. In fact, it was the target of the top 10 exploit kits in 2015, and it owned 17 percent of the total zero days last year. Now, it seems that it has another flaw to add to its collection as a new critical vulnerability is uncovered.
The vulnerability was discovered by software security group Kaspersky, which has developed and deployed a new set of technologies that can identify and prevent zero-day attacks. According to Kaspersky global research director and analysis Costin Raiu, these technologies have proven themselves to be effective by catching an Adobe Flash zero day exploit codenamed CVE-2016-1010 in the early part of 2016. They gave a repeat performance when they detected another exploit this month, which has been codenamed CVE-2016-4171 and has already been used in several attacks.
Kaspersky believes that these attacks come from ScarCruft, a relatively new APT group that’s behind two major operations, namely Operation Daybreak and Operation Erebus. The former uses a previously unknown exploit for Adobe Flash Player, while the latter uses the exploit for CVE-2016-4117. Kasperksy has found out that ScarCruft’s victims are based in several countries, including China, South Korea, India, Russia, Nepal, Romania, and Kuwait.
Adobe is already aware that CVE-2016-4171 exists in the wild and is already being used in attacks, and they have categorized it as a critical vulnerability. The company has announced that it will release a security patch for it on June 16.
It’s important to note that CVE-2016-4171 affects the latest version of Adobe Flash Player, v188.8.131.52, as well as earlier versions. This can be taken to mean that even updating to the latest version of the product is no longer a guarantee that users would stay safe and be protected from security threats. Still, this doesn’t mean that Adobe Flash Player users should stop updating the product; in fact, it’s highly important to continually download the latest updates to receive the security patches that Adobe releases.
Flash Player users should stay tuned so they can download the security patch for CVE-2016-4171 as soon as Adobe releases it. In the meantime, Raui points out that Microsoft EMET can help mitigate the attacks and can be used while waiting for Adobe to patch the vulnerability.