The vulnerability, CVE-2016-4117, which was deemed critical, was identified by FireEye engineer Genwei Jiang. On May 10, Adobe publicly acknowledged the bug, which affected Windows, Mac, Chrome OS, and Linux devices.
“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” it said in its advisory.
No specific details about how the flaw could have been used were made public but Adobe bugs are rather frequently spotted and have been exploited plenty of times in the past. Security expert Graham Cluley expects that this latest flaw was used in malvertising or watering hole attacks via the Angler Exploit Kit. Ads that contain malicious code are a common method of burrowing into a system.
Adobe Flash is still widely used on many computers and this continues to pose a serious threat to users, said ESET U.K. security specialist Mark James.
“The program itself is one of many that users will leave on their machine without actually using it or understanding the security risk,” he said.
All users are advised to check that they are now running the latest version of the software to avoid any issues.
Common security vulnerabilities in Adobe Flash are a regular bugbear for the security community. Last year, Facebook’s chief security officer Alex Stamos called on Adobe to put a plan in place for calling time on Flash once and for all. Mozilla even took the step of blocking Flash by default in response to a series of zero days (previously undiscovered bugs) that emerged in quick succession.
Most recently, Adobe issued an emergency patch in early April after it was discovered that Flash left computers susceptible to ransomware attacks, the sort of malware that encrypts all your files and holds them for ransom, usually involving a payment of a couple of hundred dollars.
