Adobe Systems has released a security update for Flash Player in order to fix a publicly known vulnerability, as well as 24 privately reported security flaws. The company issued a warning about the zero-day--previously unknown and unpatched--vulnerability on Tuesday, saying that it is aware of an exploit available in the wild. The flaw, tracked as CVE-2016-4117, was reported by security researchers from FireEye. However, while an exploit for CVE-2016-4117 is known to exist in the public domain, the company is not aware of any active attacks using it, an Adobe spokeswoman clarified Thursday via email. This doesn't mean that hackers won't be quick to adopt it, as Flash Player is one of their favourite targets.
Adobe Systems released security updates for its Flash Player, Adobe Reader and Acrobat products fixing critical vulnerabilities that could allow attackers to install malware on computers. The Flash Player update fixes 13 vulnerabilities, 12 that can lead to remote code execution and one that allows attackers to bypass a security restriction and disclose information. Adobe is not aware of any exploit for these flaws existing in the wild. Users are advised to upgrade to Flash Player version 22.214.171.124 on Windows, Mac and Linux. The Flash Player plug-in bundled with Google Chrome, Microsoft Edge and Internet Explorer will be automatically upgraded through those browsers' respective update mechanisms.
Turla, a hacking group that has been active for over ten years and one of the largest known state-sponsored cyberespionage groups, is showing a shift in its behaviour from using its own creations to leveraging the open source exploitation framework Metasploit before dropping the custom Mosquito backdoor. While this is not the first time Turla is using generic tools, researchers at ESET say that this is the first time the group has used Metasploit, which is an open-source penetration testing project, as a first stage backdoor. "In the past, we have seen the group using open-source password dumpers such as Mimikatz," ESET Research said in a blog post. "However, to our knowledge, this is the first time Turla has used Metasploit as a first stage backdoor, instead of relying on one of its own tools such as Skipper." The typical targets of the attacks remain to be embassies and consulates in Eastern Europe and the group is still using a fake Flash installer to install both the Turla backdoor and the legitimate Adobe Flash Player.
Microsoft is providing more detail (via Bleeping Computer) about how it will drop support for Flash in Edge to dovetail with Adobe's plans, including some notable exceptions. As expected, Flash will be disabled by default in Edge as of December 2020. Flash versions released before June 2020 will be blocked outright. People using the pre-Chromium version of Edge and Internet Explorer 11 also won't get Flash security updates from Microsoft. If you want Flash gone for good, you'll also have access to a tool that removes Flash as a Windows component.