May 12, 2016
Adobe announced today another zero-day vulnerability in its Flash Player application, which the company says attackers are using in real-world attacks.
Adobe rated the vulnerability (CVE-2016-4117) as critical and said it affects Adobe Flash Player 18.104.22.168 and earlier versions, running on Windows, Macintosh, Linux, and Chrome OS.
The company promised a patch for Flash on Thursday, May 12. Adobe also says the vulnerability is serious, allowing an attacker to crash Flash Player in an unsafe manner that could allow an attacker to take control of the affected system.
The company did not mention it, but this looks like a RCE (remote code execution) vulnerability, which most critical Flash bugs tend to be. But, we’re speculating.
Adobe credited Genwei Jiang, a security researcher from FireEye for discovering the vulnerability. Jiang, together with Proofpoint researchers, also discovered a similar Flash zero-day last month. For that case, attackers used the zero-day to deliver the Cerber and Locky ransomware families.