In today's threat landscape, Adobe Flash Player unfortunately remains an attractive attack vector for adversaries to exploit and compromise systems. Over the past year, Talos has observed several instances where adversaries have identified zero-day vulnerabilities and exploited them to compromise systems. Talos is aware of reports that CVE-2016-1019, an Adobe Flash 0-day vulnerability, is currently being exploited in the wild and is affecting systems running Windows 10 and earlier.

According to the Adobe Flash Playersecurity advisorypublished on April 5, Flash Player versions 21.0.0.197 and earlier are susceptible to compromise via CVE-2016-1019. This includes Flash Player version 20.0.0.306 as well as Flash Player Extended Support Release (ESR) version 18.0.0.333 and earlier. One special note is that as of March 10, 2016, Adobe introduced a mitigation that prevents exploitation of CVE-2016-1019 in Flash version 21.0.0.182 and later.

Read more >>