Adobe Patches Flash Bug Used To Install Spyware

Researchers have warned computer users to patch a security flaw in Adobe’s widely distributed Flash after hackers were discovered using the hole to carry out attacks on Windows systems.

Adobe released a patch for the issue on the same day that it was publicly disclosed by Kaspersky Lab, which discovered the hole last week.

Spyware installer

Kaspersky said it discovered the bug, which has been given the common designation CVE-2017-11292, being used by a hacking group called BlackOasis to attempt to install the FinSpy spying software, also known as FinFisher.

FinSpy is marketed by Anglo-German company the Gamma Group to governments and police forces for surveillance purposes.

BlackOasis has been observed several times over the past two years using previously unknown software bugs to install FinSpy on the systems of Middle Eastern dissident or opposition groups, with some of its targets being based in the UK, according to Kaspersky.

Adobe releasd the update for Windows, macOS, Linux and Chrome OS, saying in its advisory the bug was “critical”.

“Adobe is aware of a report that an exploit for CVE-2017-11292 exists in the wild, and is being used in limited, targeted attacks against users running Windows,” Adobe said in the alert.

Targeted attacks

Kaspersky said it has only observed one attack using the flaw, leading it, too, to believe it is being used in a “highly targeted” way.

BlackOasis’ attacks generally involve sending its targets an infected office document, such as an RTF file, according to Kaspersky. The document contains the exploit, which downloads malware such as FinSpy.

“We believe the number of attacks relying on FinFisher software, supported by zero day exploits such as the ones described here will continue to grow,” Kaspersky said in its advisory.

Researchers and developers have been increasingly critical of Flash due to its popularity as a target for hackers, and Adobe said in July it plans to phase the software out by 2020.

In the meantime, monthly patches for Flash have gradually diminished and Adobe released no regular patch in October.

The zero-day bug appeared six days after Adobe’s regularly scheduled patch window, researchers observed.

“Flash’s days are very numbered but it’s having an agonising, protracted exit,” said security firm Sophos in a blog post.

Do you know all about security in 2017? Try our quiz!