It has been a few months since we have seen a significant zero-day vulnerability hit users at large. This time, it is another exploit plaguing Adobe Flash. To date, attackers are exploiting a critical vulnerability that won't have a patch ready until later this week at the earliest. This new exploit can target Adobe Flash version 21.0.0.242 and lower and was identified earlier this month by researchers from Kaspersky Lab. Adobe has referenced the unpatched vulnerability in this advisory, NVD has assigned it CVE-2016-4171, but unfortunately provides very little details for mitigation until a patch is available.
Fortunately, using standard browser settings there are a few simple methods to help protect yourself against this Flash exploit (and the myriad of others that continue to appear) by disabling automatically executing plugins and requiring a prompt to enable the desired plugin when required. Most browsers allow you to create exceptions if you do not want to do this each time and per site. Apple, for example, has announced that MacOS Sierra will disable the Adobe Flash plugin by default in Safari and require this process per site in order to protect users.
Today, here are the settings you can change per browser to protect yourself until Adobe issues a fix:
Google Chrome
Mozilla Firefox
Microsoft Internet Explorer
What You Can Do Today
Although there is no mitigation for this vulnerability yet, you can use BeyondTrust Retina CS enterprise vulnerability management to detect hosts with the vulnerable versions of Adobe Flash, and PowerBroker for Window endpoint least privilege management to limit users executing vulnerable versions of Flash. Watch for more on this zero-day coming soon.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.