Categories: SecurityWorkspace

Adobe Patches Zero-Day Flaw ‘Exploited In The Wild’

Adobe has issued a patch for its Flash Player that fixes a critical security hole, which computer security experts say has been used in attacks since March.

The update is the latest sign of the frequent security problems affecting Flash Player, whose widespread presence in browsers has made it an attractive target for online criminals.

Active exploitation

The flaw, known as CVE-2016-4171, was discovered earlier this month by Kaspersky Lab, which said it was being used against particular, high-profile targets.

“Adobe is aware of a report that an exploit for CVE-2016-4171 exists in the wild, and is being used in limited, targeted attacks,” Adobe said in release notes accompanying the update.

The patch fixes a total of 36 bugs for Flash in Windows, Mac OS, Linux and ChromeOS, some of which Adobe acknowledged were “critical vulnerabilities that could potentially allow an attacker to take control of the affected system”.

Adobe’s Flash software includes an automatic update feature, or users can download the patch from Adobe’s website.

Multiple zero-day bugs

“Just please be sure, if you take this route, that you download Flash Player from the genuine Adobe website,” wrote security analyst Graham Cluley in a blog post. “On many occasions we have seen criminals using social engineering tricks to dupe unsuspecting users into installing bogus Adobe updates, which go on to compromise their computers.”

Another option is to disable Flash or to set it to activate only when clicked, researchers said.

Adobe has been obliged to patch four zero-day Flash bugs in as many months, with emergency updates released in March, April and May of this year.

Google said it plans to disable Flash by default in its market-leading Chrome browser this autumn, but will temporarily exempt certain popular websites, such as YouTube, from the change.

Criminal attacks

Kaspersky Lab said earlier this month that a group it called “ScarCruft” was targeting victims in countries including Russia, Nepal, South Korea, China, India, Kuwait and Romania using two Flash exploits and one affecting Microsoft’s Internet Explorer.

A campaign Kaspersky called “Operation Daybreak”, which began in March, used the zero-day Flash bug, while another operation called “Erebus” used an older bug exploited via watering holes, or sites frequently used by a particular group.

The gang may also have used a zero-day exploit designated CVE-2016-0147 that Adobe patched in April, Kaspersky said.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago