Zero-day vulnerability in Adobe Flash Player

Use-after-free error
CVE-2016-7855

The vulnerability was disclosed by Neel Mehta and Billy Leonard of the Google Threat Analysis Group.

The vulnerability was exploited by Russian hacker group APT28.

Vulnerability details

Advisory: SB2016102602 - Remote code execution in Adobe Flash Player

Vulnerable component: Adobe Flash Player

CVE-ID: CVE-2016-7855

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-119 - Memory corruption

Description:

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error when handling .swf files. A remote attacker can trick the victim to visit a website or open a file with malicious Flash file and execute arbitrary code on the target system with privileges of the current user.

Note: this vulnerability was being actively exploited in the wild.

External links:

https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html https://helpx.adobe.com/security/products/flash-player/apsb16-36.html https://technet.microsoft.com/library/security/ms16-128
https://threatpost.com/adobe-patches-flash-zero-day-under-attack/121567/
http://securityaffairs.co/wordpress/52739/hacking/cve-2016-7855-adobe.html
http://sensorstechforum.com/cve-2016-7855-flash-bug-exploited-limited-attacks/
http://www.securityweek.com/adobe-patches-flash-vulnerability-used-targeted-attacks
http://thehackernews.com/2016/10/google-windows-zero-day.html
http://opensources.info/cve-2016-7855-flaw-in-adobe-flash-player-exploited-in-targeted-attacks/
https://www.infosecurity-magazine.com/news/flash-windows-zerodays-are-being/
https://fossbytes.com/microsoft-windows-zero-day-vulnerability-google-told-people/
https://www.theregister.co.uk/2016/10/26/adobe_patches_fresh_flash_zeroday/
https://www.symantec.com/connect/blogs/flash-zero-day-being-exploited-targeted-attacks
http://www.pcworld.com/article/3135715/security/emergency-flash-player-patch-fixes-zero-day-critical...
http://thecharlestendellshow.com/microsoft-patches-cve-2016-7255-windows-zero-day-exploited-by-fancy...
https://arstechnica.com/security/2016/11/fancy-bear-goes-all-out-to-beat-adobe-msft-zero-day-patches...

About zero-day vulnerabilities

Zero-day vulnerability is an undisclosed vulnerability in software that hackers can exploit to compromise computer programs, gain unauthorized access to sensitive data, penetrate networks, etc. We consider vulnerability a zero-day when there is no solution provided from software vendor and the vulnerability is being actively exploited by malicious actors.

Zero-day candidate is a potential zero-day vulnerability in software which might have been used in targeted attacks, however there is no evidence to support this suggestion.