Skip to main content
  1. Home
  2. Computing
  3. News

Hacker group may be exploiting unpatched vulnerability in Adobe Flash Player

By

adobe exploit scarcruft heartbleed bug hacker
Image used with permission by copyright holder
Kaspersky Lab’s latest blog, written by Costin Raiu, points to a security advisory published by Adobe that warns of a critical vulnerability in Adobe Flash Player version 21.0.0.242 and older for ChromeOS, Linux, Macintosh, and Windows-based operating systems. This vulnerability, called CVE-2016-4171, could cause a crash if exploited and allow hackers to take control of the affected system.

According to Adobe, it’s aware of an exploit of CVE-2016-4171 being used in the wild in limited, targeted attacks. However, the company doesn’t seem to be too worried about the problem, as a fix won’t be offered until Adobe dishes out its monthly security update slated to be released as early as June 16 (just days away).

Recommended Videos

In its security advisory, Adobe actually acknowledged Anton Ivanov and Costin Raiu of Kaspersky Lab for reporting the vulnerability in Flash Player and working with the company to address the issue. Raiu indicated in his follow-up blog that the exploit was uncovered by new technologies inserted into Kaspersky Lab products to identify and block zero-day attacks. This new tech caught and blocked an Adobe Flash zero-day exploit earlier this year, followed by another one just this month.

Raiu said that the security firm believes a new advanced persistent threat (APT) group internally called “ScarCruft” is behind these attacks. This group has several ongoing operations using two exploits in Adobe Flash and one in Internet Explorer. So far, their victims have resided in a number of countries outside North America including China, India, Kuwait and Romania.

According to the security firm, one of the operations currently in motion is dubbed Operation Daybreak. This attack, launched back in March 2016, focuses on high-profile victims using a zero-day Adobe Flash Player exploit that was previously unknown. Another attack is dubbed Operation Erebus, which uses an older exploit and, according to Raiu, “leverages watering holes.” There may have been a third attack too, but that exploit was patched in April.

In addition to Adobe’s Flash Player security advisory published on Tuesday, Adobe also released a number of security bulletins for Adobe DNG SDK, Adobe Brackets, Adobe Creative Cloud Desktop Application, and ColdFusion. For instance, the company released hotfixes for ColdFusion 10, 11, and the 2016 release that resolve an input validation issue that could be used in reflected cross-site scripting (XSS) attacks. The company recommends that customers update these product installations to the latest release.

Adobe issued security updates for Flash Player just a month ago, addressing vulnerabilities that could allow a hacker to gain control of an affected system. One of the affected versions the security updates addressed was Adobe Flash Player for Microsoft Edge and Internet Explorer 11 v21.0.0.241 and earlier, as well as Adobe Flash Player for Google Chrome v21.0.0.216 and earlier.

As for the latest attack on Adobe Flash Player, Raiu said that Kaspersky Lab will release more details when Adobe patches the vulnerability, which he expects to be on June 16 as Adobe indicated in its security advisory.

“Until then, we confirm that Microsoft EMET is effective at mitigating the attacks,” he added in the blog.

Topics
Kevin Parrish
Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
At basically $105, the Ryzen 5 7600X is the best gaming CPU to buy right now
The Ryzen 5 7600X sitting among thermal paste and RAM.

I don't usually get my hopes up for Black Friday CPU deals, but I found one that's just too good to pass up. Right now, you can get the Ryzen 5 7600X -- still one of the best processors for value-focused gaming -- for basically $105. No, that's not the actual price listed on Newegg where you'll find the deal, but there's a lot going on with this sale.

For starters, the CPU itself is marked down by 24%, bringing the $299 list price down to $225. Not a great deal for a last-gen chip. However, you can save an additional $30 by using the promo code BFEDY2A33, and more importantly, you'll get a free Kingston NV3 1TB hard drive with the order. That's a PCIe 4.0 SSD that normally costs $90.

Read more
This Asus laptop with Copilot+ is $350 off at Best Buy
Asus Vivobook S 15 CoPilot+ front view showing display and keyboard.

You can do quite a bit of gaming on the go these days, thanks to all the handheld consoles and gaming laptops that are on the market. Regarding the latter, we’re always on the lookout for top discounts on the gaming gear we all want to own, which leads us to this wonderful discovery:

For a limited time, when you purchase the Asus Vivobook S 15 with Copilot+ at Best Buy, you’ll pay $550. At full price, this model sells for $900. We tested this PC earlier this year, and our reviewer said the following: “The Asus Vivobook S15 is the best large-display Copilot+ laptop so far in an old-school form factor.”

Read more
This gorgeous Mac mini hub exacerbates the power button placement problem
M4 Mac mini with Satechi hub on a desk.

Satechi, known for its high-quality tech accessories, is updating its Mac mini hub for the new M4 model. Like previous hubs, it allows Mac mini owners to expand their storage and ports while preserving airflow, wireless signal, and performance. It looks awesome, but this time, the design highlights the problematic nature of the new Mac mini's placement of its power button.

With previous Mac mini models, the power button was at the back, making it easily accessible even when it was in a Satechi hub. The new button placement on the bottom of the PC, however, may prove even more annoying for anyone who wants to buy this accessory.

Read more