Adobe has released a critical security patch (APSB17-32) for Adobe Flash Player. This update addresses a critical type confusion vulnerability that could lead to code execution. Affects Windows, Macintosh and Linux operating systems. This vulnerability identified with CVE-2017-11292 by a vulnerability scanning tool.
A security researcher from Kaspersky Labs have uncovered this new zero-day remote code execution vulnerability in Adobe Flash, which was being actively exploited in the wild. According to researchers at Kaspersky Labs, the exploit delivered through a Microsoft Office document and the final payload was the latest version of FinSpy malware. Analysis of the payload by researchers have indicated its link to a group of advanced persistent threat actors, known as BlackOasis. BlackOasis is the same group of attackers which were also responsible for exploiting another zero-day vulnerability (CVE-2017-8759) discovered in September 2017. Also, the final FinSpy payload in the current attack (CVE-2017-11292) shares the same command. And control (C&C) server as the payload used with CVE-2017-8759. A reliable patch management tool can remediate all these vulnerabilities.
This zero-day exploit is delivered through Microsoft Office document attached to a spam email, and embedded within this document is an ActiveX object which contains the Flash exploit. The Flash object contains an ActionScript which is responsible for extracting the exploit using a custom packer. The exploit is a memory corruption vulnerability that exists in the “com.adobe.tvsdk.mediacore.BufferControlParameters” class. If the exploit is successful, it will gain arbitrary read and write operations within the memory. Allowing it to execute a shellcode. The shellcode then downloads the final payload (FinSpy).
FinFisher, also known as FinSpy, is surveillance software that has extensive spying capabilities on an infected system. It can secretly conduct live surveillance by turning ON infected system's webcams and microphones, recording everything the victim types on the keyboard, intercepting Skype calls, and exfiltration of files.
Affected versions of Adobe Flash Player Security Patch:
- Flash Player versions 27.0.0.159 and earlier for Windows, Macintosh, and Linux.
- Flash Player version 27.0.0.159 and earlier for Adobe Flash Player for Google Chrome.
- Flash Player version 27.0.0.130 and earlier for Adobe Flash Player for Microsoft Edge and
- Internet Explorer 11 on Windows 10 and Windows 8.x.
Solution:
All the users of the Adobe Flash Player for Windows, Macintosh, and Linux are advised to update to Flash Player version 27.0.0.170. Flash Player for Google Chrome, Microsoft Edge and Internet Explorer 11 automatically updated to the latest version.
However, all these updates easily remediated through SecPod Saner. Also, install Saner to detect and remediate these type of threats and stay secure.