--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Actively Exploited Critical Zero-Day Vulnerability in Adobe Flash' version: '1.0' number: '2017-022' date: 'October 17, 2017' --- _History:_ * _17/10/2017 --- v1.0: Initial publication_ # Summary On 16th of October 2017, Adobe has released a security update for Adobe Flash Player for Windows, MacOS, Linux, and Chrome OS. This update addresses a critical _type confusion_ vulnerability that could lead to code execution (CVE-2017-11292) [1]. Adobe also alerted that this vulnerability is being actively exploited in targeted attacks. The exploit was identified on 10th of October by Kaspersky's researchers [2]. # Technical Details The vulnerability is a memory corruption vulnerability that exists in the following class: com.adobe.tvsdk.mediacore.BufferControlParameters Once the exploit is successful, the attacker gains arbitrary read/write operations within memory, thus leading to code execution in the context of the user. Kaspersky's researchers spotted the malicious code delivered via an MS Office document, embedded in an ActiveX object [2]. # Products Affected * Adobe Flash Player Desktop Runtime 27.0.0.159 on Windows, MacOS, and Linux * Adobe Flash Player for Google Chrome 27.0.0.159 on Windows, MacOS, Linux, and Chrome OS * Adobe Flash Player for Microsoft Edge and Internet Explorer 11 27.0.0.130 on Windows 10 and Windows 8.1 # Recommendations Apply security update issued by Adobe [1]: * Adobe Flash Player Desktop Runtime 27.0.0.170 on Windows, MacOS, and Linux * Adobe Flash Player for Google Chrome 27.0.0.170 on Windows, MacOS, Linux, and Chrome OS * Adobe Flash Player for Microsoft Edge and Internet Explorer 11 27.0.0.170 on Windows 10 and Windows 8.1 Concerning Flash player for Google Chrome, it will be automatically updated to the latest Google Chrome version. # References [1] Adobe advisory [2] Kaspersky Blog post about BlackOasis APT