• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Adobe Flash Zero-day used in targeted attacks

Alfa1

Well-known member
#1
Another critical vulnerability in Flash. There is no end to it.

The active zero-day exploit works against the most recent Flash version 21.0.0.242 and was detected earlier this month by researchers from antivirus provider Kaspersky Lab, according to a blog post published Tuesday by Costin Raiu, the director of the company's global research and analysis team. It's being carried out by "ScarCruft," the name Kaspersky has given to a relatively new hacking group engaged in "advanced persistent threat" campaigns that target companies and organizations for high-value information and data.
Source: ArsTechnica

A few of months ago, we deployed a new set of technologies into our products designed to identify and block zero day attacks. These technologies already proved its effectiveness earlier this year, when they caught an Adobe Flash zero day exploit, CVE-2016-1010. Earlier this month, we caught another zero-day Adobe Flash Player exploit deployed in targeted attacks.

We believe these attacks are launched by an APT Group we call “ScarCruft”.
Source: SecureList

Adobe Security Advisory

Security Advisory for Adobe Flash Player
Release date: June 14, 2016

Vulnerability identifier: APSA16-03

CVE number: CVE-2016-4171

Platforms: Windows, Macintosh, Linux and Chrome OS

Summary
A critical vulnerability (CVE-2016-4171) exists in Adobe Flash Player 21.0.0.242 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2016-4171 exists in the wild, and is being used in limited, targeted attacks. Adobe will address this vulnerability in our monthly security update, which will be available as early as June 16. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.

Severity ratings
Adobe categorizes this as a critical vulnerability.

Acknowledgments
Adobe would like to thank Anton Ivanov and Costin Raiu of Kaspersky Lab for reporting CVE-2016-4171 and for working with Adobe to help protect our customers.