Updated: Adobe today issued a security advisory for CVE-2016-4171, a critical vulnerability in Flash Player along with four security bulletins notifying users of issues with three other company products.
The Flash Player vulnerability has been spotted in the wild being used in limited, targeted attacks, Adobe said, adding an update to address this problem will be rolled out possibly as early as June 16. The issue was discovered by Anton Ivanov and Costin Raiu of Kaspersky Lab and successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
Wolfgang Kandek, Qualys CTO, said in a blog post that the despite the flurry of Adobe and Microsoft bulletins being issued today Adobe’s Flash Player advisory should take precedence.
“Pay close attention to the release and address as quickly as possible. By the way, this is the third month in a row that we are seeing a 0-day in Flash, making it most certainly the most targeted software on your organization’s endpoints, Kandek wrote.
Microsoft is expected to release the patch at the same time as Adobe.
Kaspersky Lab’s Costin Raiu said in a blog post that the zero-day is being used by an APT gang called ScarCruft to hit several countries including, Russia, Nepal, South Korea, China, India, Kuwait and Romania.
“Currently, the group is engaged in two major operations: Operation Daybreak and Operation Erebus. The first of them, Operation Daybreak, appears to have been launched by ScarCruft in March 2016 and employs a previously unknown (0-day) Adobe Flash Player exploit, focusing on high profile victims. The other one, “Operation Erebus” employs an older exploit, for CVE-2016-4117 and leverages watering holes,” Raiu said.
The four bulletins cover issues that have not been exploited in the wild, but still require user’s attention.
Security Bulletin APSB16-21 (CVE-2016-4157, CVE-2016-4158) for Adobe Create Cloud Desktop Application has resolves an untrusted search path vulnerability in the Creative Cloud Desktop Application installer, and an unquoted service path enumeration vulnerability in the Creative Cloud Desktop Application.
Adobe’s released hot fixes an update for Cold Fusion, bulletin APSB16-22 (CVE-2016-4159), that repair an input validation issue that could be used in reflected XSS (cross-site scripting) attacks .
Updated to include Kaspersky Lab information from Costin Raiu.