Tomorrow, Adobe is expected to release a patch for CVE-2016-4171, which fixes a critical vulnerability in Flash 18.104.22.168 that Kaspersky reports is being used in active, targeted campaigns. Generally speaking, these sorts of pre-patch, zero day exploits don't see a lot of widespread use; they're too valuable to burn on random acts of hacking.
So, customers shouldn't be any more worried about their Flash installation base today than they were yesterday. However, as I explained almost a year ago, Flash remains a very popular vector for client side attacks, so we recommend you always treat it with caution, and disable it when not needed. This announcement is a great reminder to do that.
Since Flash's rise as a popular vector for exploitation, many organizations have taken defensive steps to ensure that Flash has the same click-to-play protections as Java in their desktop space, so those enterprises are in a better position to defend against this and the next Adobe Flash exploit.
Our products teams here at Rapid7 are alert to this news, and will be working up solutions in Nexpose and Metasploit to cover this vulnerability, and this blog will be updated when those checks and modules are available. For Nexpose customers in particular, if you’ve opted into Nexpose Now, you can easily create dashboard cards to see all of your java vulnerabilities and the impact that this vulnerability has on your risk. You can also use Adaptive Security to set up a trigger for the vulnerability so that Nexpose automatically launches a scan for it as soon as the check is released.