Zero-day vulnerability in Adobe Flash Player

Use-after-free error

The vulnerability was disclosed by Neel Mehta and Billy Leonard of the Google Threat Analysis Group.

The vulnerability was exploited by Russian hacker group APT28.

Vulnerability details

Advisory: SB2016102602 - Remote code execution in Adobe Flash Player

Vulnerable component: Adobe Flash Player

CVE-ID: CVE-2016-7855

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error when handling .swf files. A remote attacker can trick the victim to visit a website or open a file with malicious Flash file and execute arbitrary code on the target system with privileges of the current user.

Note: this vulnerability was being actively exploited in the wild.

Latest references in media:

- APT28 group is rushing to exploit recent CVE-2017-11292 Flash 0-Day before users apply the patches [2017-10-22 13:30:07]

- Our commitment to our customersтАЩ security [2016-11-01 18:47:27]

- Hardening Windows 10 with zero-day exploit mitigations [2017-01-13 22:28:49]

- Russian Hackers Target Montenegro as Country Joins NATO [2017-06-07 11:00:27]

- Windows 10 Blocks Zero-Days Before Patches Arrive: Microsoft [2017-01-19 00:07:06]

- Code Reuse a Peril for Secure Software Development [2016-12-15 16:10:08]

- Microsoft Bolsters Ransomware Protection in Windows 10 Anniversary Update [2016-11-14 23:45:22]

- Pawn Storm APT conducted spear-phishing attacks before zero-days was fixed [2016-11-13 10:54:57]

- Cyberspies Ramped Up Attacks After Exposure of Zero-Days [2016-11-09 20:23:28]

- Pawn Storm raced to pop many targets before Windows zero-day patch release [2016-11-09 17:14:51]

- Pawn Storm Ramps Up Spear-phishing Before Zero-Days Get Patched [2016-11-09 14:27:42]

- Heavy Patch Tuesday on US Election Day [2016-11-09 12:12:06]

- Microsoft patches CVE-2016-7255 Windows zero-day exploited by Fancy Bear [2016-11-09 09:24:35]

- Adobe issued security patches for 9 Flash Player flaws reported via ZDI [2016-11-09 08:04:18]

- Adobe Patches 9 Flash Player Flaws Reported via ZDI [2016-11-08 17:53:42]

- Adobe Patches Nine Code Execution Flaws in Flash Player [2016-11-08 17:24:58]

- There’s no best way to handle disclosure of zero-day vulnerabilities [2016-11-04 18:15:12]

- Post-pumpkin Patch Tuesday: What’s in store for November [2016-11-03 10:44:43]

- Google Discloses Windows Zero-Day Before Microsoft Can Issue Patch [2016-11-02 15:38:01]

- Microsoft said that a Russian hacking group is using an unpatched Windows kernel vulnerability publicly disclosed by Google [2016-11-02 09:40:12]

- Recent Windows Kernel zero-day exploited by hackers behind the DNC hack [2016-11-02 09:13:58]

- Windows Zero-Day Exploited by Russia-Linked Cyberspies [2016-11-02 09:04:00]

- Flash, Windows Zero-days Are Being Actively Exploited in the Wild [2016-11-01 22:00:31]

- Microsoft flips Google the bird after Windows kernel bug blurt [2016-11-01 20:40:02]

- Google warns of actively exploited Windows zero-day [2016-11-01 10:23:36]

- Google discloses Windows zero-day that has been exploited in the wild [2016-11-01 10:03:43]

- Google Discloses Windows Zero-Day Vulnerability [2016-11-01 09:33:33]

- Google publicly discloses Windows Kernel Zero-Day vulnerability that makes all Windows Users Vulnerable [2016-11-01 08:29:46]

- Google drops a zero-day on Microsoft: Web giant goes public with bug exploited by hackers [2016-10-31 23:10:01]

- Google Reveals Windows Kernel Zero Day Under Attack [2016-10-31 22:03:31]

- ShadowBrokers Dumps Lists of Equation Group Hacked Servers [2016-10-31 18:53:44]

- Security Affairs newsletter Round 84 тАУ News of the week [2016-10-30 13:02:31]

- Patch Your Flash: Another Zero-Day Vulnerability Hits Adobe Flash [2016-10-27 12:42:39]

- Adobe releases Emergency Flash Update to resolve Critical Vulnerability [2016-10-27 00:24:19]

- Adobe kicks out patch for fresh Flash zero-day [2016-10-26 21:00:01]

- Emergency Flash Player patch fixes zero-day critical flaw [2016-10-26 19:54:49]

- Emergency Flash Player patch fixes zero-day critical flaw [2016-10-26 19:40:57]

- CVE-2016-7855 flaw in Adobe Flash Player exploited in targeted attacks [2016-10-26 19:14:16]

- Remote Code Execution Vulnerabilities Plague LibTIFF Library [2016-10-26 18:35:09]

- Adobe Patches Flash Zero Day Under Attack [2016-10-26 17:25:35]

- Adobe Patches Flash Vulnerability Used in Targeted Attacks [2016-10-26 17:25:05]

Vulnerability Scanning SaaS

Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.