Tech

Cyberattackers botch integration of Adobe Flash zero-day vulnerability in exploit kits

Users of Adobe Flash have a little more breathing space to patch their systems.

Written by Charlie Osborne, Contributing Writer April 11, 2016 at 1:14 a.m. PT

Hackers seeking to leverage a zero-day vulnerability in Adobe Flash made a mess of integrating the flaw into exploit kits, giving users more time to patch vulnerable systems.

According to Malwarebytes security researcher Jerome Segura, the botched integration of an exploit for the Flash zero-day vulnerability CVE-2016-1019 has significantly reduced the pool of potential victims.

Last week, Adobe deployed an emergency patch for the security issue, which impacts users of Windows, Mac, Linux and Chrome operating systems.

If exploited correctly, the type confusion vulnerability has the scope to impact millions of Adobe Flash users, crashing systems or providing the avenue for complete system hijacking.

However, as Segura notes, another saving grace for users is the fact that Adobe also mitigated the problem in Flash Player 21.0.0.182 and 21.0.0.197, preventing the security flaw being fully exploited, leading to only a crash.

Security

Malwarebytes says that the Magnitude exploit kit has been using CVE-2016-1019 in malvertising campaigns -- the deployment of fraudulent and malicious ads across advertising networks designed to dupe users into visiting malicious domains containing the kit -- "for some time."

If a user views a dodgy advert and visits a domain controlled by such a cyberattacker, the exploit kit will use the vulnerability to download the Cerber ransomware.

Once Cerber has infected a vulnerable system, the malware locks users out of their PC, encrypts files and demands between $520 - $1040 to restore functionality.

Users of Adobe Flash should update their systems as soon as possible to protect themselves against this threat.