Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Adobe Patches Flash ZeroDay Used To Plant Surveillance Software
Second time in four weeks FINSPY "lawful intercept" tool and a zero-day found together.
1 Min Read
Adobe released a patch for a critical, remote code execution zero-day vulnerability in Adobe Flash Player today. Kasperksy Lab discovered the vulnerability when it saw the BlackOasis threat group using the FINSPY (aka FinFisher) surveillance tool to exploit the bug in attacks last week, according to a Reuters report; Adobe acknowledged Kaspersky researcher Anton Ivanov in its advisory.
A type confusion vulnerability in Flash, CVE-2017-11292 impacts Flash running on Windows, Macintosh, Linux and Chrome OS. The attacks witnessed in-the-wild were targeted and against Windows machines.
FINSPY can be bought by law enforcement and nation-state intelligence agencies as part of "lawful intercept" surveillance tools. Last month, Microsoft patched a zero-day vulnerability in Office, discovered by FireEye, that was also being used to spread FINSPY. It was the second zero-day being used to spread FINSPY that FireEye had discovered this year.
For more information see the Adobe release and Reuters.
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.
About the Author
You May Also Like
More Insights
