Tuesday, 17 May 2016

New Adobe Flash zero-day vulnerability, actively exploited by cybercriminals



ESET Ireland warns about security advisory by Adobe, detailing an as-yet unpatched critical security hole in its popular Flash player software that is reported to being actively exploited by criminals in the wild. A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system, running malvertising campaigns or watering hole attacks, perhaps in co-ordination with something like the notorious Angler Exploit Kit.


Besides keeping their anti-virus and other software updated, users may wish to consider enabling “Click to Play” in their browser to reduce the attack surface. With “Click to Play” enabled, the browser won’t render potentially malicious Flash content unless given the go-ahead. In other words, a maliciously coded Flash file will not execute unless you give it explicit permission, rather than automatically running when you visit a poisoned webpage.

But Adobe Flash isn’t the only one unsafe. There are plenty of other critical security vulnerabilities being found in software from other vendors all the time. Just this week, for instance, Microsoft released an urgent fix for a zero-day vulnerability in its JScript and VBScript engines, used by the likes of Internet Explorer, and thought to have been used in targeted attacks against South Korea.