It has been a few months since we have seen a significant zero-day vulnerability hit users at large. This time, it is another exploit plaguing Adobe Flash. To date, attackers are exploiting a critical vulnerability that won't have a patch ready until later this week at the earliest. This new exploit can target Adobe Flash version 21.0.0.242 and lower and was identified earlier this month by researchers from Kaspersky Lab. Adobe has referenced the unpatched vulnerability in this advisory, NVD has assigned it CVE-2016-4171, but unfortunately provides very little details for mitigation until a patch is available.
Fortunately, using standard browser settings there are a few simple methods to help protect yourself against this Flash exploit (and the myriad of others that continue to appear) by disabling automatically executing plugins and requiring a prompt to enable the desired plugin when required. Most browsers allow you to create exceptions if you do not want to do this each time and per site. Apple, for example, has announced that MacOS Sierra will disable the Adobe Flash plugin by default in Safari and require this process per site in order to protect users.
Today, here are the settings you can change per browser to protect yourself until Adobe issues a fix:
Google Chrome
Mozilla Firefox
Microsoft Internet Explorer
What You Can Do Today
Although there is no mitigation for this vulnerability yet, you can use BeyondTrust Retina CS enterprise vulnerability management to detect hosts with the vulnerable versions of Adobe Flash, and PowerBroker for Window endpoint least privilege management to limit users executing vulnerable versions of Flash. Watch for more on this zero-day coming soon.
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.