Adobe patches Flash Zero-Day exploited by ScarCruft APT

Pierluigi Paganini June 19, 2016

Adobe Flash Player 22.0.0.192 release fixes the Flash Player zero-day vulnerability (CVE-2016-4171) exploited by the APT group dubbed ScarCruft.

Adobe has issued the Flash Player 22.0.0.192, a release that fixes the Flash Player zero-day vulnerability (CVE-2016-4171) exploited by the APT group dubbed ScarCruft in attacks on high-profile targets.

The Flash Player flaw CVE-2016-4171 affects versions 21.0.0.242 and earlier for Windows, Mac, Linux and Chrome OS, according to Kaspersky a threat actor behind the “Operation Daybreak” used it in targeted attacks conducted March 2016.

According to Kaspersky Lab, the ScarCruft APT group exploited the zero day in a series of attacks against high-profile targets against entities in Russia, Nepal, South Korea, China, Kuwait, India and Romania.

“Currently, the group is engaged in two major operations: Operation Daybreak and Operation Erebus. The first of them, Operation Daybreak, appears to have been launched by ScarCruft in March 2016 and employs a previously unknown (0-day) Adobe Flash Player exploit, focusing on high profile victims.” explained Costin Raiu, director of Global Research and Analysis Team at Kaspersky Lab. “The other one, “Operation Erebus” employs an older exploit, for CVE-2016-4117 and leverages watering holes. It is also possible that the group deployed another zero day exploit, CVE-2016-0147, which was patched in April.”

The new release addressed a total of 36 flaws that could be exploited by hackers to run arbitrary code on the vulnerable systems and that could result in information disclosure.

The flaws were reported to Adobe by security experts from Cisco, FireEye, Google, Kaspersky Lab, Microsoft, Pangu LAB, Qihoo 360, and Tencent.

The list of flaws fixed includes use-after-free, directory search path, heap buffer overflow, and same-origin policy (SOP) bypass vulnerabilities.

The ScarCruft APT exploited also another vulnerability (CVE-2016-0147) in Microsoft XML Core Services (MSXML) affecting Microsoft Windows. This second flaw can be exploited through Internet Explorer, Microsoft issued a security patch in April, but hackers exploited before the fix was released.

scarcruft Adobe flash zero-day

“It is not a secret that anti-malware systems trigger on special system functions that are called in the context of potential vulnerable applications to make a deeper analysis of API calls such as CreateProcess, WinExec or ShellExecute,” Ivanov and Raiu wrote in a blog post published on SecureList.

“For instance, such defense technologies trigger if a potentially vulnerable application such as Adobe Flash starts other untrusted applications, scripts interpreters or even the command console,” the experts added. “To make execution of payload invisible for these defense systems, the threat actors used the Windows DDE interface in a very clever way.”

According to the experts from Kaspersky, the malicious code (HEUR:Trojan.Win32.ScarCruft.gen) used by threat actors in Operation Daybreak is “extremely rare” and likely used only for surgical attacks.

Experts from Kaspersky explained that Flash Player exploits in the wild are becoming rare because they need to be coupled with a Sandbox bypass exploit, furthermore Adobe is spending a significant effort in implementing new mitigations to make exploitation of Flash Player more and more difficult.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

Security Affairs – (CVE-2016-4171 Zero-Day, Adobe)

[adrotate banner=”5″]

[adrotate banner=”13″]

Adobe Adobe Flash APT CVE-2016-4171 Hacking ScarCruft targeted attacks zero-Day

Pierluigi Paganini September 20, 2025

A cyberattack on Collins Aerospace disrupted operations at major European airports

Pierluigi Paganini September 20, 2025