Adobe has issued a warning about a new critical security vulnerability that is being actively exploited by hackers. The vulnerability affects Adobe Flash 21.0.0.226 and all previous versions for Windows, Linux, Mac, and Chrome OS.
Adobe plans to address the vulnerability in its next monthly security update, although until that update is released all users are potentially at risk. The monthly update is expected to be released as early as May 12. Adobe rates the vulnerability – APSA16-02 (CVE-2016-4117) as critical.
The vulnerability was detected by security firm FireEye on May 8, 2016. FireEye reported that while the vulnerability affected multiple operating systems, the active exploit it discovered was targeting Windows users with Microsoft Office installed.
The exploit had been embedded in a MS Office document which was hosted on the attacker’s web server. The document, and the malicious payload, were referenced using a Dynamic DNS (DDNS) domain. Attacks were taking place via spam email containing malicious attachments, and also via the Internet.
Since this exploit is active in the wild, the security update should be installed as soon as possible after the release. Until the patch is released, all users of Flash are potentially at risk of the vulnerability being exploited.
Zero-day exploits are commonly discovered to affect Adobe Flash. Adobe is usually quick to release patches to address the vulnerabilities, but many sys admins struggle to install the patches promptly. To keep systems protected, reassess the benefits that Adobe Flash brings and whether the software is actually a necessity. Oftentimes, Flash is installed on computers but is rarely or never used, and should therefore be uninstalled.
If it is neither possible or practical to uninstall Adobe Flash, all browsers should be set to require Flash to be manually enabled for each website. This will help to reduce the attack surface. If manual authorization is required, an end user would be required to authorize Flash on an infected or malicious website in order for vulnerabilities to be exploited.
When patches are releases it is important to ensure they are applied promptly. Adobe Flash can be configured to update automatically to avoid delays.