The emergency patch released by Adobe last week was actually for a zero-day vulnerability, but cyber-criminals messed up its integration into exploit kits, inadvertently saving a big slice of users from infection.
That’s according to Jérôme Segura, Malwarebytes senior security researcher, who explained in a blog post that the mistake meant CVE-2016-1019 in fact only affected users running older versions of Flash Player.
Adobe claimed at the time that a “mitigation introduced in Flash Player 21.0.0.182 currently prevents exploitation of this vulnerability, protecting users running Flash Player 21.0.0.182 and later.”
However, as it was still possible to circumvent the mitigation and make the flaw work on fully patched versions of the popular software, Adobe was forced to release an out-of-band update last week.
The Magnitude EK was using the vulnerability “for some time” in several still active malvertising campaigns designed to deliver the Cerber ransomware to unsuspecting users, claimed Segura.
“Drive-by download attacks that involve compromised sites or malvertising continue to leverage the Flash Player as the preferred piece of software for exploitation,” he explained.
“As an end-user, you need to evaluate your situation and decide whether you should keep it installed or not. If you do, it is critical that you run an exploit mitigation tool in parallel due to the likelihood of zero-day attacks. In other words, the traditional advice to keep your software up-to-date is not sufficient when it comes to high-risk plugins such as Flash.”
An overwhelming 90% of cybersecurity professionals believe that their organization would be more secure if they switched off support for the Flash plugin, according to a study by Bromium last year which revealed that it was responsible for more exploits than any other software in the first half of 2015.
Amazon has withdrawn support for Flash ads, Google had announced it is following suit, and Apple has long been a detractor.