CVE-2016-4171 – Another Flash Zero-Day exploited in targeted attacks

Adobe states that the Flash Player zero-day vulnerability (CVE-2016-4171) has been exploited in targeted attacks. It will be fixed later this week.

Once again Adobe Flash Player is the target of hackers in the wild. Adobe has released security updates for several of its products announcing that the fix for a critical Flash Player zero-day vulnerability (CVE-2016-4171) exploited in targeted attacks will only be issued later this week.

A security fix for the vulnerability is expected to become available starting from June 16.

The security vulnerability was reported by Anton Ivanov from Kaspersky that explained that the flaw could be exploited by hackers gain complete control of the vulnerable systems.

The Flash Player flaw CVE-2016-4171 affects versions 21.0.0.242 and earlier for Windows, Mac, Linux and Chrome OS.

The Adobe Security Advisory confirms that CVE-2016-4171 does not appear to have been exploited in large-scale attacks, anyway threat actors have been leveraged the flaw in surgical attacks.

“A critical vulnerability (CVE-2016-4171) exists in Adobe Flash Player 21.0.0.242 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.” states the Adobe Security Advisory.

Adobe is aware of a report that an exploit for CVE-2016-4171 exists in the wild, and is being used in limited, targeted attacks. Adobe will address this vulnerability in our monthly security update, which will be available as early as June 16. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.”

Adobe issued a security bulletin to inform users about the availability of security updates for the Adobe Digital Negative (DNG) Software Development Kit (SDK).

Adobe fixed a number of flaws in several products, the company also informed customers about the availability of security updates for the Digital Negative (DNG) software development kit (SDK).

The memory corruption vulnerability (CVE-2016-4167) affects the Windows and Mac versions of the product.

Below a list of other security updates that address the following vulnerabilities in Adobe solutions:

• Security updates for the Adobe Brackets open source code editor that is affected by a JavaScript injection flaw (CVE-2016-4164) and an issue related to the extension manager (CVE-2016-4165).
• Security updates for the Windows version of the Creative Cloud Desktop Application that is affected by an untrusted search path (CVE-2016-4157) and an unquoted service path enumeration vulnerability (CVE-2016-4158).
• Hotfixes for ColdFusion versions 10, 11 and the 2016 release that is affected by a cross-site scripting (XSS) vulnerability (CVE-2016-4159).

Adobe confirmed that its experts are not aware of any exploits existing in the wild for these flaws.

[adrotate banner=”9″]

Pierluigi Paganini

Security Affairs –  (CVE-2016-4171, Adobe)