​Adobe: Flash Player under attack again, patch on its way

Adobe is racing out a patch for a previously undisclosed flaw in Flash Player that it says is being used in targeted attacks.

Adobe released security updates for several products but delayed its usual Patch Tuesday security update for Flash Player as it prepares a patch for a zero day that is being exploited in the wild. Adobe said it will release the Flash Player update as early as Thursday.

The critical flaw, marked as CVE-2016-4171, was being used in “limited, targeted attacks”, it said.

“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” the company noted.

The vulnerability affects Flash Player version 21.0.0.242 and earlier for Windows, Mac, Linux and Chrome OS.

This is the third consecutive month that Adobe has been required to patch a flaw in Flash after it was already being exploited. It similarly delayed a patch last month by two days due to a live exploit for Flash Player.

Targeted attacks are generally less of a concern for most browser users, however the risk increases once for-hire exploit kits integrate attacks for the flaw. This often happens within a few days of Adobe releasing patches for critical Flash Player flaws, enabling wide spread attacks from compromised websites or malicious ads.

Adobe on Tuesday also released patches for its DNG Software Development Kit, Adobe Brackets, the Creative Cloud Desktop Application, and Cold Fusion.

The company was not aware of publicly available exploits existing for any of the flaws in these products.

As it is Patch Tuesday, Microsoft released monthly security updates for its server, desktop and web products. The company released 16 bulletins covering 40 vulnerabilities.

While Microsoft was not aware of any zero days for its products, Wolfgang Kandek, CTO of security firm Qualys, highlighted several bugs that enterprise organisations should make a priority to fix.

These included a remote code execution bug on Microsoft’s DNS server. “Organizations that run their DNS server on the same machine as their Active Directory server need to be doubly aware of the danger of this vulnerability,” wrote Kandek.

Another critical remote code execution bug in Microsoft Office should be addressed swiftly. The bug is present in Office RTF format and could be exploited just by sending a malicious file to the target.

“Since RTF can be used to attack through Outlook’s preview pane, the flaw is can be triggered with a simple e-mail without user interaction,” wrote Kandek.

Microsoft also provided fixes for a number of remote code execution flaws in Internet Explorer, Edge, Javascript on Windows Vista.

Join the CSO newsletter!

Error: Please check your email address.

Tags MacLinuxpatchinglive exploittargeted attacksflash playerWindowsadobePatch Tuesday

More about CreativeLinuxMicrosoftQualysSoftware Development

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place