Adobe today issued an emergency security patch for Flash, which squashes a bug being used in the wild right now by hackers to infect Windows PCs with spyware.
The flaw, CVE-2017-11292, was discovered by Kaspersky Labs, and affects all current versions of Flash for Windows, macOS, Linux and Chrome OS. A programming cockup in the software allows malicious Flash files – hidden on websites or embedded in Office documents and other files – to corrupt the plugin’s internal memory structures and gain remote code execution on a vulnerable machine.
As mentioned, this is a zero-day hole: it is being actively exploited against computers to infect them with malware. Netizens should update their Flash installations as soon as possible.
“This is a type confusion bug that could allow an attacker to execute arbitrary code on a target system,” the Zero Day Initiative warned in an advisory. “The attacker would need to entice an affected system to view maliciously crafted Flash content, typically hosted on a website. This security update should be a high priority for administrators.”
It’s a demoralizing blow for Adobe, which just last week proudly trumpeting the fact that – for the first time in ages – there would be no security patches this month for its applications. Sadly, that lasted six day before the emergency fix had to be released.
‘Israel hacked Kaspersky and caught Russian spies using AV tool to harvest NSA exploits’
Kaspersky researcher Anton Ivanov uncovered the flaw on October 10 while investigating a hacker called BlackOasis – who last year exploited another zero-day bug in Flash to infect computers with copies of the leaked FinFisher aka FinSpy government surveillance tools.
Forward to this month, and Ivanov spotted BlackOasis exploiting a previously unheard-of bug in Flash to execute arbitrary malicious code on a machine. The booby-trapped Flash file is wrapped in an ActiveX object, and embedded in Microsoft Office documents that are presumably emailed to victims. Once opened, the Flash file exploits the memory-corruption bug to read and write memory as it pleases, which is used to execute an initial shellcode stage.
This first stage disguises some of its code – the NOP sled – to avoid detection by antivirus packages, and downloads and runs a second stage called mo.exe.
This executable is the latest version of FinFisher, the multitool spyware developed for government snoops by Gamma International that was dumped online and into the hands of crooks. The malware can hijack the computer, and spy on the users’ activities, as well as connect to three command-and-control servers to receive fresh orders from its masterminds.
“The payload calls out to three C2 servers for further control and’s exfiltration of data,” the Kaspersky team said.
“We have observed two of them used in the past with other FinSpy payloads. Most recently one of these C2 servers was used together with CVE-2017-8759 in the attacks reported by FireEye in September 2017. These IPs and other previous samples tie closely to the BlackOasis APT cluster of FinSpy activity.”
So far the attack has only been spotted in highly focused attacks against political targets, Team Kaspersky said. But with news of the flaw now public, script-kiddie morons are likely to pile in and exploit it further. ®