Flash Zero-Day Exploited in the Wild, Affecting All Versions – Fix Coming Later This Week
Adobe has released information today of an emergency patch that will fix a zero-day exploit in Flash. The flaw is being exploited in the wild, and Adobe plans to release the fix on Thursday, June 16.
Flash zero-day used in live attacks
Adobe has released security updates for a number of its products, however, a Flash exploit rated critical is still waiting for the patch. The zero-day vulnerability is being exploited in targeted attacks, and will hopefully be resolved later this week, Adobe said in its security advisory. The flaw allows an attacker to take control of vulnerable systems. Anton Ivanov and Costin Raiu of Kaspersky Lab who informed Adobe of this vulnerability, have reported that the vulnerability was used in targeted attacks.
Adobe said that the zero-day vulnerability exists in the wild, but does not appear to have been exploited in large-scale attacks. The flaw "is being used in limited, targeted attacks," company has claimed.
Adobe is aware of a report that an exploit for CVE-2016-4171 exists in the wild, and is being used in limited, targeted attacks.
A critical vulnerability (CVE-2016-4171) exists in Adobe Flash Player 18.104.22.168 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
The critical Flash zero-day vulnerability (CVE-2016-4171) affects Flash Player 22.214.171.124 and earlier versions. Users are affected on all operating systems, including Windows, Macintosh, Linux, and Chrome OS. Flash 126.96.36.199 is the company's latest version, which means this zero-day affects ALL Flash installations. Users are recommended to update the Flash Player on their devices, as soon as the security patch is released later this week. We will keep this space updated with any developments.
Adobe also issued security patches for Adobe Brackets Web IDE, Creative Cloud desktop app, ColdFusion, and DNG SDK. For more information about the flaws fixed, please visit the security advisory.