Critical Zero-Day Vulnerability CVE-2016-4171 – Basic Mitigation

Morey Haber, Chief Technology Officer
June 15th, 2016

CVE-2016-4171

It has been a few months since we have seen a significant zero-day vulnerability hit users at large. This time, it is another exploit plaguing Adobe Flash. To date, attackers are exploiting a critical vulnerability that won’t have a patch ready until later this week at the earliest.  This new exploit can target Adobe Flash version 21.0.0.242 and lower and was identified earlier this month by researchers from Kaspersky Lab. Adobe has referenced the unpatched vulnerability in this advisory, NVD has assigned it CVE-2016-4171, but unfortunately provides very little details for mitigation until a patch is available.

Fortunately, using standard browser settings there are a few simple methods to help protect yourself against this Flash exploit (and the myriad of others that continue to appear) by disabling automatically executing plugins and requiring a prompt to enable the desired plugin when required. Most browsers allow you to create exceptions if you do not want to do this each time and per site. Apple, for example, has announced that MacOS Sierra will disable the Adobe Flash plugin by default in Safari and require this process per site in order to protect users.

Today, here are the settings you can change per browser to protect yourself until Adobe issues a fix:

Google Chrome

blog-zero-day-061516-chrome

Mozilla Firefox

blog-zero-day-061516-firefox

Microsoft Internet Explorer

blog-zero-day-061516-ie

What You Can Do Today

Although there is no mitigation for this vulnerability yet, you can use BeyondTrust Retina CS enterprise vulnerability management  to detect hosts with the vulnerable versions of Adobe Flash, and PowerBroker for Window endpoint least privilege management  to limit users executing vulnerable versions of Flash. Watch for more on this zero-day coming soon.

Morey Haber, Chief Technology Officer

With more than 20 years of IT industry experience and author of Privileged Attack Vectors, Mr. Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees BeyondTrust technology for both vulnerability and privileged access management solutions. In 2004, Mr. Haber joined eEye as the Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was a Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. Mr. Haber began his career as a Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelors of Science in Electrical Engineering from the State University of New York at Stony Brook.