Adobe has released a security update that fixes a zero-day vulnerability that has been exploited in targeted attacks. The zero-day vulnerability, tracked as CVE-2017-11292, is a “type confusion” vulnerability that could lead to code execution on the victim’s systems.
The flaw affects Flash Player 27.0.0.159 on Windows, Mac, Linux and Chrome OS. Microsoft will likely release an update as well to patch the Flash Player components used by its products.
The vulnerability has been reported to Adobe by a security researcher from Kaspersky Labs. The only data available so far is that the flaw has been exploited in targeted attacks against Windows users.
According to Kaspersky:
“On October 10, 2017, Kaspersky Lab’s advanced exploit prevention systems identified a new Adobe Flash zero day exploit used in the wild against our customers. The exploit was delivered through a Microsoft Office document and the final payload was the latest version of FinSpy malware. We have reported the bug to Adobe who assigned it CVE-2017-11292 and released a patch earlier today:”
You can check the version of the installed Flash Player on your system, enter the About Flash Player page, or right-click on content running in Flash Player and choose “About Adobe (or Macromedia) Flash Player” from the menu.