Adobe Patches Flash Bug Used To Install Spyware

Researchers have warned computer users to patch a security flaw in Adobe’s widely distributed Flash after hackers were discovered using the hole to carry out attacks on Windows systems.


Adobe released a patch for the issue on the same day that it was publicly disclosed by Kaspersky Lab, which discovered the hole last week.

Spyware installer

Kaspersky said it discovered the bug, which has been given the common designation CVE-2017-11292, being used by a hacking group called BlackOasis to attempt to install the FinSpy spying software, also known as FinFisher.

FinSpy is marketed by Anglo-German company the Gamma Group to governments and police forces for surveillance purposes.

BlackOasis has been observed several times over the past two years using previously unknown software bugs to install FinSpy on the systems of Middle Eastern dissident or opposition groups, with some of its targets being based in the UK, according to Kaspersky.

Adobe releasd the update for Windows, macOS, Linux and Chrome OS, saying in its advisory the bug was “critical”.

“Adobe is aware of a report that an exploit for CVE-2017-11292 exists in the wild, and is being used in limited, targeted attacks against users running Windows,” Adobe said in the alert.

Targeted attacks

Kaspersky said it has only observed one attack using the flaw, leading it, too, to believe it is being used in a “highly targeted” way.

BlackOasis’ attacks generally involve sending its targets an infected office document, such as an RTF file, according to Kaspersky. The document contains the exploit, which downloads malware such as FinSpy.

“We believe the number of attacks relying on FinFisher software, supported by zero day exploits such as the ones described here will continue to grow,” Kaspersky said in its advisory.

Researchers and developers have been increasingly critical of Flash due to its popularity as a target for hackers, and Adobe said in July it plans to phase the software out by 2020.

In the meantime, monthly patches for Flash have gradually diminished and Adobe released no regular patch in October.

The zero-day bug appeared six days after Adobe’s regularly scheduled patch window, researchers observed.

“Flash’s days are very numbered but it’s having an agonising, protracted exit,” said security firm Sophos in a blog post.

Do you know all about security in 2017? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

AWS re:Invent Conference Welcomes Back Crowds

Over 27,000 attendees and members of the press (including Silicon) attend Amazon Web Services worldwide…

4 hours ago

Head Of Car Giant Stellantis Issues Electric Vehicle Cost Warning

The car manufacturing industry cannot sustain the costs from government demands to shift to electric…

5 hours ago

SpaceX’s Elon Musk Warns Of Bankruptcy Risk Over Engine Issue

SpaceX CEO Elon Musk warns of “disaster” concerning production of Starship Raptor engine that puts…

7 hours ago

Twitter To Remove Photos Tweeted Without Permission

Privacy overstep? Personal photos and videos of private individuals tweeted without the consent of the…

8 hours ago

Facebook Cryptocurrency Executive David Marcus To Leave

Executive in charge of Meta's cryptocurrency efforts, confirms he is leaving after seven years at…

10 hours ago

NY AG Seeks Overseer For Amazon Worker Safety

New York's attorney general asks US judge to appoint someone who will oversee worker safety…

10 hours ago