Mindless Flash masses saved as exploit kit devs go astray with 0day
Since-patched flaw was imperfectly targeted by incompetent crimeware
Malwarebytes hacker Jerome Segura says black hats have made a mess of efforts to unleash an Adobe Flash zero day vulnerability as part of their popular exploit kit, reducing the pool of potential victims.
If done right, the remote code execution exploit had the potential to hurt millions of Flash users, but Adobe was able to release a patch last week closing off CVE-2016-1019 among two dozen others.
"This vulnerability was actually a zero-day but exploit kit authors botched its integration which resulted in only affecting older versions of Flash," Segura says.
"Another saving grace was the fact that“ Adobe mitigated the attack vector in version 220.127.116.11 and above.
He says Magnitude, considered perhaps the second-most-popular among crime-grade exploit kits, is "very active" and told El Reg it has been exploiting the then zero day since early April.
Users would need only view an online advertisement created by attackers to have the Magnitude exploit kit compromise machines and the data within. They do not need to click on advertisements.
Users running the Flash Player versions 18.104.22.168 and prior for Windows, OS X, Linux and ChromeOS should apply the fix or jettison the ravaged runtime.
It comes as Microsoft announced its Edge browser would nix "non-central" Flash content in webpages by default and recommending content creators move to non-fatal alternatives including HTML5. ®