Following the news that Adobe is expected to release a patch for CVE-2016-4171, Tod Beardsley, Security Research Manager at Rapid7 commented below.

Tod Beardsley, Security Research Manager at Rapid7:

Tod-BeardsleyAdobe is expected to release a patch for CVE-2016-4171, which fixes a critical vulnerability in Flash 21.0.0.242 that Kaspersky reports is being used in active, targeted campaigns. Generally speaking, these sorts of pre-patch, zero day exploits don’t see a lot of widespread use; they’re too valuable to burn on random acts of hacking. So, customers shouldn’t be any more worried about their Flash installation base today than they were yesterday.

The positive effect of this announcement is the fact that it gives us a chance to remind people that Flash remains a very popular vector for client side attacks. In fact, I said as much almost a year ago.

Since then, many organisations have taken defensive steps to ensure that Flash is has the same click-to-play protections as Java in their desktop space, so those enterprises are in a better position to defend against this and the next Adobe Flash exploit.

Our products teams here at Rapid7 are alert to this news, and will be working up solutions in Nexpose and Metasploit to cover this vulnerability, and our blog will be updated when those checks and modules are available.