Adobe Flash Player is under a very critical zero-day attack, and Adobe says it won’t have a patch ready until later this week.
The flaw (CVE-2016-4171) exists in Adobe Flash Player 18.104.22.168 and earlier versions for Windows, Macintosh, Linux, and Chrome OS, and was detected earlier this month by researchers from antivirus provider Kaspersky Lab, according to a blog post published Tuesday by Costin Raiu, the director of the company’s global research and analysis team.
The flaw is being leveraged by an APT group they dubbed ScarCruft, a cyber-espionage group that has been targeting organizations in Russia, Nepal, South Korea, China, India, Kuwait, and Romania. “Currently, the group is engaged in two major operations: Operation Daybreak and Operation Erebus,” says Raiu.
Raiu also said: The first of them, Operation Daybreak, appears to have been launched by ScarCruft in March 2016 and employs a previously unknown (0-day) Adobe Flash Player exploit, focusing on high-profile victims. The other one, “Operation Erebus” employs an older exploit, for CVE-2016-4117 and leverages watering holes. It is also possible that the group deployed another zero-day exploit, CVE-2016-0147, which was patched in April.
We will publish more details about the attack once Adobe patches the vulnerability, which should be on June 16. Until then, we confirm that Microsoft EMET is effective at mitigating the attacks. Additionally, our products detect and block the exploit, as well as the malware used by the ScarCruft APT threat actor.
Home users are unlikely to have been targeted in these attacks, but now that the existence of the zero-day is known and the patch is set to be released quickly, other knowledgeable criminals will soon be able to come up with the exploit and it will likely be added to popular exploit kits.
Users are advised to update Adobe Flash Player as soon as the patch is pushed out, or to forgo the buggy app altogether, if possible. For Windows users, deploying EMET is generally also a good idea.