Criminals exploit zero day Flash vulnerability

Adobe will this week patch a critical vulnerability in Flash Player that is being actively exploited in the wild.

Not information is available on the exploit (CVE-2016-4117) ahead of the patch that is set for release from tomorrow.

"A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS," Adobe says.

"Adobe is aware of a report that an exploit for CVE-2016-4117 exists in the wild.

"Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system."

It is possible that the exploit is being used in crime kits such as Angler, the developers of which are eager to find new ways to attack scores of users through runtimes like Flash, Java, and Silverlight.

The exploit could be used in malvertising campaigns. If so it could mean anyone running some combination of updated Windows, Adobe Flash, and Internet Explorer could be silently compromised by merely visiting a website that is delivering malicious advertisements.

Such an attack was deployed last month when criminals behind the Magnitude and Nuclear exploit kits were found exploiting the then zero day vulnerabilities.

Adobe released an out-of-band patch in a bid to avoid mass casualties across the web. ®