Skip to main content
  1. Home
  2. Computing
  3. News

Hacker group may be exploiting unpatched vulnerability in Adobe Flash Player

Kevin Parrish
By

adobe exploit scarcruft heartbleed bug hacker
Image used with permission by copyright holder
Kaspersky Lab’s latest blog, written by Costin Raiu, points to a security advisory published by Adobe that warns of a critical vulnerability in Adobe Flash Player version 21.0.0.242 and older for ChromeOS, Linux, Macintosh, and Windows-based operating systems. This vulnerability, called CVE-2016-4171, could cause a crash if exploited and allow hackers to take control of the affected system.

According to Adobe, it’s aware of an exploit of CVE-2016-4171 being used in the wild in limited, targeted attacks. However, the company doesn’t seem to be too worried about the problem, as a fix won’t be offered until Adobe dishes out its monthly security update slated to be released as early as June 16 (just days away).

Recommended Videos

In its security advisory, Adobe actually acknowledged Anton Ivanov and Costin Raiu of Kaspersky Lab for reporting the vulnerability in Flash Player and working with the company to address the issue. Raiu indicated in his follow-up blog that the exploit was uncovered by new technologies inserted into Kaspersky Lab products to identify and block zero-day attacks. This new tech caught and blocked an Adobe Flash zero-day exploit earlier this year, followed by another one just this month.

Raiu said that the security firm believes a new advanced persistent threat (APT) group internally called “ScarCruft” is behind these attacks. This group has several ongoing operations using two exploits in Adobe Flash and one in Internet Explorer. So far, their victims have resided in a number of countries outside North America including China, India, Kuwait and Romania.

According to the security firm, one of the operations currently in motion is dubbed Operation Daybreak. This attack, launched back in March 2016, focuses on high-profile victims using a zero-day Adobe Flash Player exploit that was previously unknown. Another attack is dubbed Operation Erebus, which uses an older exploit and, according to Raiu, “leverages watering holes.” There may have been a third attack too, but that exploit was patched in April.

In addition to Adobe’s Flash Player security advisory published on Tuesday, Adobe also released a number of security bulletins for Adobe DNG SDK, Adobe Brackets, Adobe Creative Cloud Desktop Application, and ColdFusion. For instance, the company released hotfixes for ColdFusion 10, 11, and the 2016 release that resolve an input validation issue that could be used in reflected cross-site scripting (XSS) attacks. The company recommends that customers update these product installations to the latest release.

Adobe issued security updates for Flash Player just a month ago, addressing vulnerabilities that could allow a hacker to gain control of an affected system. One of the affected versions the security updates addressed was Adobe Flash Player for Microsoft Edge and Internet Explorer 11 v21.0.0.241 and earlier, as well as Adobe Flash Player for Google Chrome v21.0.0.216 and earlier.

As for the latest attack on Adobe Flash Player, Raiu said that Kaspersky Lab will release more details when Adobe patches the vulnerability, which he expects to be on June 16 as Adobe indicated in its security advisory.

“Until then, we confirm that Microsoft EMET is effective at mitigating the attacks,” he added in the blog.

Topics
Kevin Parrish
Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
One of Lenovo’s best-selling ThinkPad laptops is 45% off today
Lenovo ThinkPad X1 Carbon Gen 12 front angled view showing display and keyboard.

If you're on browsing through laptop deals for a machine that will immensely help in boosting your productivity, you may want to check out Lenovo's offer for the popular Lenovo ThinkPad X1 Carbon Gen 11. It's a powerful device so its original price is $3,319, but a 45% discount from Lenovo brings it down to a more reasonable $1,825. That's $1,494 in savings that you'll be able to spend on software and accessories, but you're going to have to proceed with the purchase right now if you want to make sure that you get it because this is a clearance sale, so there's no guarantee that stocks will still be available tomorrow.

Why you should buy the Lenovo ThinkPad X1 Carbon
The Lenovo ThinkPad X1 Carbon Gen 11 challenges the performance of the best laptops with its 13th-generation Intel Core i7 processor, integrated Intel Iris Xe Graphics, and 16GB of RAM that our guide on how much RAM do you need says is similar to what you'll find in top-tier machines. The device comes with a 14-inch touchscreen with WUXGA resolution for sharp details and bright colors, a 1TB SSD for ample storage space for your files, and Windows 11 Pro pre-installed so that you can access the more advanced capabilities of the operating system.

Read more
The world’s first 8K mini-LED monitor has arrived
The Asus ProArt PA32KCX 8K mini-LED professional monitor placed on a desk next to a workstation PC.

When it comes to the best professional-grade monitors, resolution, brightness, and color accuracy are all paramount. Asus is aiming to ace all three (and a lot more) with its newly announced ProArt PA32KCX, which is also the world’s first 8K mini-LED professional monitor.

The 8K resolution is the standout spec, of course. The monitor has a resolution of 7680 x 4320 across its 32-inch screen. One of the only other 8K monitors available that you actually buy is the Dell UltraSharp UP3218K, which came out in 2017.

Read more
This new VR headset beats the Vision Pro in one key way and is half the price
Pimax Crystal Super and Light VR headsets appear on a dark background.

While the Apple Vision Pro offers ultra-high-resolution displays with 23 million pixels, the staggering $3,500 price might inspire you to look for Vision Pro alternatives.

Good news: Pimax just announced two new VR headsets, including a budget model that costs as low as $799 and a more advanced version starting at $1,799. Both are based on the design of one of the best VR headsets currently available -- the Pimax Crystal that launched in May 2023 for $1,599 -- but come with a serious upgrade in terms of resolution.
Pimax Crystal Super

Read more