Hacker group may be exploiting unpatched vulnerability in Adobe Flash Player

adobe exploit scarcruft heartbleed bug hacker
Kaspersky Lab’s latest blog, written by Costin Raiu, points to a security advisory published by Adobe that warns of a critical vulnerability in Adobe Flash Player version 21.0.0.242 and older for ChromeOS, Linux, Macintosh, and Windows-based operating systems. This vulnerability, called CVE-2016-4171, could cause a crash if exploited and allow hackers to take control of the affected system.

According to Adobe, it’s aware of an exploit of CVE-2016-4171 being used in the wild in limited, targeted attacks. However, the company doesn’t seem to be too worried about the problem, as a fix won’t be offered until Adobe dishes out its monthly security update slated to be released as early as June 16 (just days away).

In its security advisory, Adobe actually acknowledged Anton Ivanov and Costin Raiu of Kaspersky Lab for reporting the vulnerability in Flash Player and working with the company to address the issue. Raiu indicated in his follow-up blog that the exploit was uncovered by new technologies inserted into Kaspersky Lab products to identify and block zero-day attacks. This new tech caught and blocked an Adobe Flash zero-day exploit earlier this year, followed by another one just this month.

Raiu said that the security firm believes a new advanced persistent threat (APT) group internally called “ScarCruft” is behind these attacks. This group has several ongoing operations using two exploits in Adobe Flash and one in Internet Explorer. So far, their victims have resided in a number of countries outside North America including China, India, Kuwait and Romania.

According to the security firm, one of the operations currently in motion is dubbed Operation Daybreak. This attack, launched back in March 2016, focuses on high-profile victims using a zero-day Adobe Flash Player exploit that was previously unknown. Another attack is dubbed Operation Erebus, which uses an older exploit and, according to Raiu, “leverages watering holes.” There may have been a third attack too, but that exploit was patched in April.

In addition to Adobe’s Flash Player security advisory published on Tuesday, Adobe also released a number of security bulletins for Adobe DNG SDK, Adobe Brackets, Adobe Creative Cloud Desktop Application, and ColdFusion. For instance, the company released hotfixes for ColdFusion 10, 11, and the 2016 release that resolve an input validation issue that could be used in reflected cross-site scripting (XSS) attacks. The company recommends that customers update these product installations to the latest release.

Adobe issued security updates for Flash Player just a month ago, addressing vulnerabilities that could allow a hacker to gain control of an affected system. One of the affected versions the security updates addressed was Adobe Flash Player for Microsoft Edge and Internet Explorer 11 v21.0.0.241 and earlier, as well as Adobe Flash Player for Google Chrome v21.0.0.216 and earlier.

As for the latest attack on Adobe Flash Player, Raiu said that Kaspersky Lab will release more details when Adobe patches the vulnerability, which he expects to be on June 16 as Adobe indicated in its security advisory.

“Until then, we confirm that Microsoft EMET is effective at mitigating the attacks,” he added in the blog.

Smart Home

Amazon shows off compact cashier-free store that could show up at airports

Amazon is testing its smallest Amazon Go store to date as it considers taking the grab-and-go technology to new venues such as airports and train stations. The compact store is a quarter the size of its current locations.
Computing

Windows Update not working after October 2018 patch? Here’s how to fix it

Windows update not working? It's a more common problem than you might think. Fortunately, there are a few steps you can take to troubleshoot it and in this guide we'll break them down for you step by step.
Gaming

Apple Mac users should take a bite out of these awesome games

Contrary to popular belief, there exists a bevy of popular A-list games compatible for Mac computers. Take a look at our picks for the best Mac games available for Apple fans.
Emerging Tech

Full-fledged drone delivery service set to land in remote Canadian community

Some drone delivery operations seem rather crude in their execution, but Drone Delivery Canada is building a comprehensive platform that's aiming to take drone delivery to the next level.
Computing

You can now get a Surface Laptop 2 for $800 at the Microsoft Store

Along with deals on other variants, starting configurations of Microsoft's Surface Laptop 2 are now going for $800 online at its retail store, cutting $200 from its usual $1,000 starting price. 
Computing

Need a monitor for professional photo-editing? These are the very best

Looking for the best monitor for photo editing? You'll need to factor in brightness, color accuracy, color gamut support and more. Fortunately, we've rounded up the best ones for you, to help you make an educated purchase.
Computing

Canada’s winters inspired a startup to warm homes with cryptomining heat waste

Cryptomining may be the key to untold riches and the future of currency, but it’s also an environmental nightmare. Heatmine, thinks it has the answer, but it could mean bolting a mining rig onto every home and business in the country.
Computing

HDR monitors are beginning to have an impact. Here are the best you can buy

HDR isn't the most common of PC monitor features and is often charged at a premium, but the list of available options is growing. These are the best HDR monitors you can buy right now.
Computing

You’ll soon be able to scribble all over PDFs on your Chromebook

Chrome OS users may soon be able to doodle all over their PDF documents with the possible addition of a new feature in Chrome OS' PDF viewer. The annotation feature is expected to allow users to hand draw or write over their documents.
Virtual Reality

Oculus Rift vs. HTC Vive: Prices drop, but our favorite stays the same

The Oculus Rift and HTC Vive are the two big names in the virtual reality arena, but most people can only afford one. Our comparison tells you which is best when you pit the Oculus Rift vs. HTC Vive.
Computing

Microsoft’s Windows 95 throwback was just an ugly sweater giveaway

Microsoft's "softwear" announcement wasn't what we had hoped for. Thursday's announcement was not the new line of wearable tech or SkiFree monster sweater we wished for. But it did deliver the 90s nostalgia we wanted.
Home Theater

Confused about LED vs. LCD TVs? Here's everything you need to know

Our LED vs. LCD TV buying guide explains why these two common types of displays are fundamentally connected, how they differ, what to look for in buying an LED TV, and what's on the horizon for TVs.
Deals

The best MacBook deals for December 2018

If you’re in the market for a new Apple laptop, let us make your work a little easier: We hunted down the best up-to-date MacBook deals available online right now from various retailers.
Computing

How to connect AirPods to your MacBook

If you have new AirPods, you may be looking forward to pairing them with your MacBook. Our guide will show you exactly how to connect AirPods to MacBook, what to do if they are already paired with a device, and more.