A type confusion vulnerability was discovered in Adobe Flash Player version 22.214.171.124 and earlier. This vulnerability can be exploited remotely to achieve arbitrary code execution on the target machine. The type confusion occurs due to improper array index calculation. The vulnerability has been assigned CVE-2017-11292. The table below lists the affected products
|Adobe Flash Player Desktop Runtime||126.96.36.199 and earlier versions||Windows, Macintosh|
|Adobe Flash Player for Google Chrome||188.8.131.52 and earlier versions||Windows, Macintosh, Linux ,Chrome OS|
|Adobe Flash Player for Microsoft Edge and Internet Explorer 11||184.108.40.206 and earlier versions||Windows 10, 8.1|
|Adobe Flash Player Desktop Runtime||220.127.116.11 and earlier versions||Linux|
This issue has been addressed by Adobe in APSB17-32 on version 18.104.22.168. The vulnerability was reported by Anton Ivanov of Kaspersky Labs. The exploit was discovered in the wild, it was delivered as part of malicious Microsoft Office Document embedded with an ActiveX object. The use of the exploit has been attributed to “BlackOasis” and “APT28”. On successful execution the target machine is infected with FinSpy malware or DealersChoice attack depending on the source of the document.
As mentioned earlier a type confusion vulnerability leads to arbitrary code execution. The vulnerability is present in “com.adobe.tvsdk.mediacore.BufferControlParameters” class. An incorrect bytecode verification procedure, which allows an un-trusted value to be used to calculate the array index. On successful exploitation the code will gain arbitrary read/write capability. This can be leveraged to write and execute shellcode .
We request organizations to install the latest version of Adobe Flash Player and scan your network with the QIDs listed below to detect vulnerable machines.
|100321||Microsoft Windows Adobe Flash Player Security Update for October 2017|
|236529||Red Hat Update for flash-plugin (RHSA-2017:2899)|
|370604||Adobe Flash Player Remote Code Execution Vulnerability (APSB17-32)|
Please continue to follow ThreatProtect for information on vulnerabilities.