There seems to be no end of trouble for the beleaguered Flash Player and those who use it. Not long ago, yet another critical security flaw was found in the player, designated as CVE-2016-4117 by security researchers at FireEye. As is generally the case with zero-day exploits like this one, Adobe responded almost immediately with a patch. The problem, however, is that less than two weeks after the details of the exploit were published, a malware researcher spotted the exploit in an exploit kit called “Magnitude.” That’s problematic because Magnitude is one of the most popular exploit kits in the hacking community.
An exploit kit is a web-based attack tool that contains a bundle of several known exploits for web browser plugins (like Flash). The hackers who make these kits don’t really care whether the exploit in question has been patched or not, because they understand people, and they know that the odds are excellent that a high percentage of people who use Flash won’t bother to keep up with the latest security patches. In short then, they know that they can infect tens of thousands (or more) machines, quickly and easily, even in cases where a patch has already been issued.
This latest discovery is noteworthy mostly because of the speed and efficiency with which the exploit was included in a kit. The hacking community is proving quite adept at responding to new information and building new exploits into their tool sets almost as fast as they are discovered.
If you’re not sure whether or not you use Flash at your company, find out. If you use it, make sure you’re protected by the latest security patch. There are widely available tools that make it easy to use against you if you don’t keep up with the latest updates.
If you’re feeling a bit overwhelmed by it all, contact one of our seasoned experts and we’ll be happy to assess the risks for you and your company.