The vulnerability was disclosed by Neel Mehta and Billy Leonard of the Google Threat Analysis Group.
The vulnerability was exploited by Russian hacker group APT28.
Vulnerable component: Adobe Flash Player
CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C
CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to use-after-free error when handling .swf files. A remote attacker can trick the victim to visit a website or open a file with malicious Flash file and execute arbitrary code on the target system with privileges of the current user.
Note: this vulnerability was being actively exploited in the wild.
Latest references in media:
- Our commitment to our customersтАЩ security [2016-11-01 18:47:27]
- Hardening Windows 10 with zero-day exploit mitigations [2017-01-13 22:28:49]
- Russian Hackers Target Montenegro as Country Joins NATO [2017-06-07 11:00:27]
- Windows 10 Blocks Zero-Days Before Patches Arrive: Microsoft [2017-01-19 00:07:06]
- Code Reuse a Peril for Secure Software Development [2016-12-15 16:10:08]
- Microsoft Bolsters Ransomware Protection in Windows 10 Anniversary Update [2016-11-14 23:45:22]
- Pawn Storm APT conducted spear-phishing attacks before zero-days was fixed [2016-11-13 10:54:57]
- Cyberspies Ramped Up Attacks After Exposure of Zero-Days [2016-11-09 20:23:28]
- Pawn Storm raced to pop many targets before Windows zero-day patch release [2016-11-09 17:14:51]
- Pawn Storm Ramps Up Spear-phishing Before Zero-Days Get Patched [2016-11-09 14:27:42]
- Heavy Patch Tuesday on US Election Day [2016-11-09 12:12:06]
- Microsoft patches CVE-2016-7255 Windows zero-day exploited by Fancy Bear [2016-11-09 09:24:35]
- Adobe issued security patches for 9 Flash Player flaws reported via ZDI [2016-11-09 08:04:18]
- Adobe Patches 9 Flash Player Flaws Reported via ZDI [2016-11-08 17:53:42]
- Adobe Patches Nine Code Execution Flaws in Flash Player [2016-11-08 17:24:58]
- There’s no best way to handle disclosure of zero-day vulnerabilities [2016-11-04 18:15:12]
- Post-pumpkin Patch Tuesday: What’s in store for November [2016-11-03 10:44:43]
- Google Discloses Windows Zero-Day Before Microsoft Can Issue Patch [2016-11-02 15:38:01]
- Recent Windows Kernel zero-day exploited by hackers behind the DNC hack [2016-11-02 09:13:58]
- Windows Zero-Day Exploited by Russia-Linked Cyberspies [2016-11-02 09:04:00]
- Flash, Windows Zero-days Are Being Actively Exploited in the Wild [2016-11-01 22:00:31]
- Microsoft flips Google the bird after Windows kernel bug blurt [2016-11-01 20:40:02]
- Google warns of actively exploited Windows zero-day [2016-11-01 10:23:36]
- Google discloses Windows zero-day that has been exploited in the wild [2016-11-01 10:03:43]
- Google Discloses Windows Zero-Day Vulnerability [2016-11-01 09:33:33]
- Google drops a zero-day on Microsoft: Web giant goes public with bug exploited by hackers [2016-10-31 23:10:01]
- Google Reveals Windows Kernel Zero Day Under Attack [2016-10-31 22:03:31]
- ShadowBrokers Dumps Lists of Equation Group Hacked Servers [2016-10-31 18:53:44]
- Security Affairs newsletter Round 84 тАУ News of the week [2016-10-30 13:02:31]
- Patch Your Flash: Another Zero-Day Vulnerability Hits Adobe Flash [2016-10-27 12:42:39]
- Adobe releases Emergency Flash Update to resolve Critical Vulnerability [2016-10-27 00:24:19]
- Adobe kicks out patch for fresh Flash zero-day [2016-10-26 21:00:01]
- Emergency Flash Player patch fixes zero-day critical flaw [2016-10-26 19:54:49]
- Emergency Flash Player patch fixes zero-day critical flaw [2016-10-26 19:40:57]
- CVE-2016-7855 flaw in Adobe Flash Player exploited in targeted attacks [2016-10-26 19:14:16]
- Remote Code Execution Vulnerabilities Plague LibTIFF Library [2016-10-26 18:35:09]
- Adobe Patches Flash Zero Day Under Attack [2016-10-26 17:25:35]
- Adobe Patches Flash Vulnerability Used in Targeted Attacks [2016-10-26 17:25:05]
https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html https://helpx.adobe.com/security/products/flash-player/apsb16-36.html https://technet.microsoft.com/library/security/ms16-128
Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.