Critical Zero-Day Vulnerability CVE-2016-4171 – Basic Mitigation
June 15th, 2016
It has been a few months since we have seen a significant zero-day vulnerability hit users at large. This time, it is another exploit plaguing Adobe Flash. To date, attackers are exploiting a critical vulnerability that won’t have a patch ready until later this week at the earliest. This new exploit can target Adobe Flash version 22.214.171.124 and lower and was identified earlier this month by researchers from Kaspersky Lab. Adobe has referenced the unpatched vulnerability in this advisory, NVD has assigned it CVE-2016-4171, but unfortunately provides very little details for mitigation until a patch is available.
Fortunately, using standard browser settings there are a few simple methods to help protect yourself against this Flash exploit (and the myriad of others that continue to appear) by disabling automatically executing plugins and requiring a prompt to enable the desired plugin when required. Most browsers allow you to create exceptions if you do not want to do this each time and per site. Apple, for example, has announced that MacOS Sierra will disable the Adobe Flash plugin by default in Safari and require this process per site in order to protect users.
Today, here are the settings you can change per browser to protect yourself until Adobe issues a fix:
Microsoft Internet Explorer
What You Can Do Today
Although there is no mitigation for this vulnerability yet, you can use BeyondTrust Retina CS enterprise vulnerability management to detect hosts with the vulnerable versions of Adobe Flash, and PowerBroker for Window endpoint least privilege management to limit users executing vulnerable versions of Flash. Watch for more on this zero-day coming soon.