- Oct 23, 2012
- 12,527
Adobe announced today an emergency patch for Thursday, June 16, to fix a zero-day in Flash Player exploited in the wild.
According to Anton Ivanov and Costin Raiu of Kaspersky, the vulnerability was used in targeted attacks.
The term "targeted attacks" is one used to describe attacks during which the threat group points the malicious code only against a limited set of individuals. Such exploits are usually found in the arsenal of private or state-sponsored cyber-espionage groups.
Zero-day used for cyber-espionage by new StarCruft APT
The vulnerability ID assigned to this zero-day is CVE-2016-4171, and Adobe says it affects Flash Player 21.0.0.242 and earlier versions, running on Windows, Macintosh, Linux, and Chrome OS. Flash Player 21.0.0.242 is the company's most recent version, so this means the zero-day affects all Flash installations.
An attacker can use CVE-2016-4171 to crash a Flash Player installation in an unsafe way that then allows it to run malicious code on the user system and take over the machine.
Kaspersky researchers say the group behind these targeted attacks is a new APT they named StarCruft. Researchers say the group is currently running two operations: Daybreack and Erebus.
According to Anton Ivanov and Costin Raiu of Kaspersky, the vulnerability was used in targeted attacks.
The term "targeted attacks" is one used to describe attacks during which the threat group points the malicious code only against a limited set of individuals. Such exploits are usually found in the arsenal of private or state-sponsored cyber-espionage groups.
Zero-day used for cyber-espionage by new StarCruft APT
The vulnerability ID assigned to this zero-day is CVE-2016-4171, and Adobe says it affects Flash Player 21.0.0.242 and earlier versions, running on Windows, Macintosh, Linux, and Chrome OS. Flash Player 21.0.0.242 is the company's most recent version, so this means the zero-day affects all Flash installations.
An attacker can use CVE-2016-4171 to crash a Flash Player installation in an unsafe way that then allows it to run malicious code on the user system and take over the machine.
Kaspersky researchers say the group behind these targeted attacks is a new APT they named StarCruft. Researchers say the group is currently running two operations: Daybreack and Erebus.
These operations are aimed at countries such as Russia, Nepal, South Korea, China, India, Kuwait and Romania. Kaspesky says StarCruft is currently using multiple Flash exploit and an Internet Explorer vulnberability to target victims.
Adobe also fixed Brackets, CC desktop app, ColdFusion, and DNG SDK
The company's engineers also released security patches today, for the company's DNG SDK, the Adobe Brackets Web IDE, the Creative Cloud desktop app, and the ColdFusion programming language.
For the DNG SDK, Adobe fixed a simple memory corruption issue, CVE-2016-4167. Adobe released DNG Software Development Kit (SDK) 1.4 2016 to fix the issue.
For Adobe Brackets, the company fixed a JavaScript injection issue used in XSS attacks (CVE-2016-4164), and an input validation vulnerability in the extension manager (CVE-2016-4165). Adobe Brackets 1.7 is the latest version which you should now use.
For the Adobe Creative Cloud desktop app, Adobe fixed a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-4157) and an unquoted service path enumeration vulnerability in the Creative Cloud Desktop Application(CVE-2016-4158). Adobe Creative Cloud 3.7.0.272 is now the most recent version.
For Adobe ColdFusion, there were quite a few bugs fixed, in ColdFusion versions 10, 11, and the 2016 release. All release notes are included in the Adobe security advisory.
UPDATE: Added information about the APT group that's using the zero-day, courtesy of Kaspersky.