CVE-2016-4171 – Another Flash Zero-Day exploited in targeted attacks

Adobe states that the Flash Player zero-day vulnerability (CVE-2016-4171) has been exploited in targeted attacks. It will be fixed later this week.

Once again Adobe Flash Player is the target of hackers in the wild. Adobe has released security updates for several of its products announcing that the fix for a critical Flash Player zero-day vulnerability (CVE-2016-4171) exploited in targeted attacks will only be issued later this week.

A security fix for the vulnerability is expected to become available starting from June 16.

The security vulnerability was reported by Anton Ivanov from Kaspersky that explained that the flaw could be exploited by hackers gain complete control of the vulnerable systems.

The Flash Player flaw CVE-2016-4171 affects versions 21.0.0.242 and earlier for Windows, Mac, Linux and Chrome OS.

The Adobe Security Advisory confirms that CVE-2016-4171 does not appear to have been exploited in large-scale attacks, anyway threat actors have been leveraged the flaw in surgical attacks.

“A critical vulnerability (CVE-2016-4171) exists in Adobe Flash Player 21.0.0.242 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.” states the Adobe Security Advisory.

Adobe is aware of a report that an exploit for CVE-2016-4171 exists in the wild, and is being used in limited, targeted attacks. Adobe will address this vulnerability in our monthly security update, which will be available as early as June 16. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.”

Adobe issued a security bulletin to inform users about the availability of security updates for the Adobe Digital Negative (DNG) Software Development Kit (SDK).

Adobe fixed a number of flaws in several products, the company also informed customers about the availability of security updates for the Digital Negative (DNG) software development kit (SDK).

The memory corruption vulnerability (CVE-2016-4167) affects the Windows and Mac versions of the product.

Below a list of other security updates that address the following vulnerabilities in Adobe solutions:

Security updates for the Adobe Brackets open source code editor that is affected by a JavaScript injection flaw (CVE-2016-4164) and an issue related to the extension manager (CVE-2016-4165).
Security updates for the Windows version of the Creative Cloud Desktop Application that is affected by an untrusted search path (CVE-2016-4157) and an unquoted service path enumeration vulnerability (CVE-2016-4158).
Hotfixes for ColdFusion versions 10, 11 and the 2016 release that is affected by a cross-site scripting (XSS) vulnerability (CVE-2016-4159).

Adobe confirmed that its experts are not aware of any exploits existing in the wild for these flaws.

[adrotate banner=”9″]

Pierluigi Paganini

Security Affairs – (CVE-2016-4171, Adobe)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.