CVE-2017-11292

What Is Adobe Flash Player?

Adobe Flash Player was a browser plugin that ran SWF (Shockwave Flash) multimedia content in web browsers. Flash was ubiquitous in the 2000s-2010s for web games, video, and interactive content, installed on over 90% of desktops at its peak. Flash's ActionScript virtual machine and its complex multimedia pipeline made it a persistent source of critical memory corruption and type confusion vulnerabilities exploited by APT groups and exploit kits. Adobe announced Flash's end of life in 2017 (effective December 31, 2020), with all major browsers subsequently blocking Flash content.

Overview

CVE-2017-11292 is a type confusion vulnerability in Adobe Flash Player exploited as a zero-day by the Black Oasis APT group to deliver FinSpy commercial spyware before Adobe's emergency patch. Kaspersky Lab discovered active exploitation on October 16, 2017 — the same day Adobe released the emergency fix in APSB17-32 (Flash Player 27.0.0.170). Black Oasis targeted high-profile individuals in the Middle East with malicious documents containing embedded Flash SWF files. Flash Player is now end-of-life (December 31, 2020) — any system still running Flash is permanently vulnerable to this and all subsequent unpatched Flash vulnerabilities. CISA added CVE-2017-11292 to the KEV catalog in March 2022.

Affected Versions

Technical Details

Root Cause: Type Confusion in ActionScript Virtual Machine

CVE-2017-11292 is a type confusion vulnerability (CWE-843) in the Flash Player ActionScript virtual machine. Type confusion occurs when code treats an object of one type as if it were an object of a different, incompatible type. In Flash's ActionScript engine, objects are represented with type tags that determine which operations are valid. When a type confusion condition is triggered — by crafted ActionScript code that coerces an object to an unexpected type — the engine may call methods on incorrect virtual function tables or access memory at incorrect offsets relative to the object, leading to controlled memory corruption.

Exploitation characteristics:

• A malicious SWF file contains ActionScript code that triggers the type confusion condition
• The SWF can be embedded in an Office document (.docx, .xlsx), PDF, or HTML page
• Successful exploitation achieves code execution in the Flash Player process context
• On Windows, Flash runs in a sandbox (Protected Mode in browsers) — achieving full system access may require chaining with a local privilege escalation

Black Oasis targeting: Kaspersky attributed CVE-2017-11292 to Black Oasis — a threat actor assessed to be connected to the FinSpy commercial spyware ecosystem. The group targeted UN officials, opposition politicians, and journalists in the Middle East with weaponized Office documents containing malicious embedded Flash content that delivered FinSpy surveillance software.

Attack Characteristics

Discovery

Kaspersky Lab researchers discovered CVE-2017-11292 in active exploitation on October 16, 2017 and notified Adobe. Adobe released the emergency patch APSB17-32 the same day — one of the fastest Flash emergency patch turnarounds.

Exploitation Context

• Zero-day in targeted espionage: Black Oasis's use of CVE-2017-11292 as a zero-day to deliver FinSpy reflects the commercial spyware ecosystem's reliance on Flash vulnerabilities for targeted surveillance against dissidents, journalists, and opposition figures in authoritarian contexts
• Flash's persistent zero-day problem: CVE-2017-11292 was one of several Flash zero-days disclosed in 2017 alone; Adobe's announcement of Flash's end-of-life in July 2017 (effective 2020) was partly driven by the inability to eliminate the class of vulnerabilities that made Flash a perpetual attack vector
• Browser Flash removal: Most major browsers began blocking Flash by default in 2016-2017; CVE-2017-11292 primarily impacted systems where users had explicitly enabled Flash or where IT policy hadn't blocked it
• CISA KEV (2022): Added March 2022; the remediation action is "The impacted product is end-of-life and should be disconnected if still in use" — CISA's position is that Flash must be uninstalled, not patched

Remediation

1. Uninstall Adobe Flash Player — Flash Player reached end of life on December 31, 2020. Adobe blocked Flash content from running in Flash Player beginning January 12, 2021. All Flash Player installations must be removed from all systems. There is no supported version of Flash Player to update to.

2. Use Flash removal tools — Adobe published a Flash Player uninstaller; use it on all Windows systems. Check both 32-bit and 64-bit Flash installations.

3. Identify systems still running Flash — scan for Flash Player installations via endpoint management tools or software inventory; any remaining Flash installation is unpatched and permanently vulnerable.

4. Block Flash at network level — deploy content filtering to block SWF files and Flash-related MIME types (application/x-shockwave-flash) from entering the network.

5. Migrate Flash-dependent applications — if internal applications still require Flash, migrate them to HTML5 or other modern technologies immediately; Flash-dependent applications represent an unacceptable ongoing security risk.