Adobe Patches Flash Bug Used To Install Spyware

Researchers have warned computer users to patch a security flaw in Adobe’s widely distributed Flash after hackers were discovered using the hole to carry out attacks on Windows systems.


Adobe released a patch for the issue on the same day that it was publicly disclosed by Kaspersky Lab, which discovered the hole last week.

Spyware installer

Kaspersky said it discovered the bug, which has been given the common designation CVE-2017-11292, being used by a hacking group called BlackOasis to attempt to install the FinSpy spying software, also known as FinFisher.

FinSpy is marketed by Anglo-German company the Gamma Group to governments and police forces for surveillance purposes.

BlackOasis has been observed several times over the past two years using previously unknown software bugs to install FinSpy on the systems of Middle Eastern dissident or opposition groups, with some of its targets being based in the UK, according to Kaspersky.

Adobe releasd the update for Windows, macOS, Linux and Chrome OS, saying in its advisory the bug was “critical”.

“Adobe is aware of a report that an exploit for CVE-2017-11292 exists in the wild, and is being used in limited, targeted attacks against users running Windows,” Adobe said in the alert.

Targeted attacks

Kaspersky said it has only observed one attack using the flaw, leading it, too, to believe it is being used in a “highly targeted” way.

BlackOasis’ attacks generally involve sending its targets an infected office document, such as an RTF file, according to Kaspersky. The document contains the exploit, which downloads malware such as FinSpy.

“We believe the number of attacks relying on FinFisher software, supported by zero day exploits such as the ones described here will continue to grow,” Kaspersky said in its advisory.

Researchers and developers have been increasingly critical of Flash due to its popularity as a target for hackers, and Adobe said in July it plans to phase the software out by 2020.

In the meantime, monthly patches for Flash have gradually diminished and Adobe released no regular patch in October.

The zero-day bug appeared six days after Adobe’s regularly scheduled patch window, researchers observed.

“Flash’s days are very numbered but it’s having an agonising, protracted exit,” said security firm Sophos in a blog post.

Do you know all about security in 2017? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago