Adobe has issued a security update for Flash Player today to patch a zero-day vulnerability exploited by attackers in the wild.
The vulnerability was discovered and independently reported by several security firms —ICEBRG, Tencent, and two security divisions from Chinese cyber-security giant Qihoo 360.
The vulnerability, tracked as CVE-2018-5002, impacts Adobe Flash Player 220.127.116.11 and earlier versions. It was fixed with the release of Flash Player 18.104.22.168.
According to Qihoo 360 Core Security, attackers used the Flash zero-day for attacks against targets in the Middle East. It is believed that a nation-state-backed cyber-espionage group is behind the attacks.
"We boldly suspected that the targeted region is Doha, Qatar," Qihoo 360 Core said today in a blog post detailing the zero-day.
Experts say the hackers used Office files to exploit this Flash zero-day. Attackers would deliver Office files to victims that would load a malicious SWF file from a remote server and execute it inside the Office document.
The malicious SWF file would exploit CVE-2018-5002 to gain the ability to execute code on the user's PC, and later infect him with another strain of malware.
ICEBRG says the vulnerabilities triggers "with little or no user interaction other than opening the document." Detecting the attacks with this zero-day is also hard because the " document by itself does not contain any malicious code," and all the malicious code is downloaded at a second stage.
"The attacker developed sophisticated plans in the cloud and spent at least three months preparing for the attack. The detailed phishing attack content was also tailored to the attack target," Qihoo experts said. "All clues show this is a typical APT attack."
"We suggest all relevant organizations and users to update their Flash to the latest versions in a timely manner."
According to Will Dormann of CERT/CC, besides patching the actual flaw, Adobe also added an additional dialog window that asks users if they want to load remote SWF files inside Office documents. The prompt mitigation also comes to fix a problem with Office apps, where Flash content is sometimes downloaded automatically, without prompting the user in advance.
It looks like today's update for the Flash vulnerability CVE-2018-5002 introduces a new prompt before loading remote content. Seems like a good idea, for those of you who still have Flash installed on your system for some reason. pic.twitter.com/cGd3iFZpLW— Will Dormann (@wdormann) June 7, 2018
Besides CVE-2018-5002, today's Adobe Flash update also contains fixes for three other vulnerabilities. Flash Player updates are available for Windows, Mac, Linux, and Chrome OS users.
|Vulnerability Category||Vulnerability Impact||Severity||CVE Number|
|Type Confusion||Arbitrary Code Execution||Critical||CVE-2018-4945|
|Integer Overflow||Information Disclosure||Important||CVE-2018-5000|
|Out-of-bounds read||Information Disclosure||Important||CVE-2018-5001|
|Stack-based buffer overflow||Arbitrary Code Execution||Critical||CVE-2018-5002|
This is the second Flash Player zero-day spotted this year. In January, North Korean hackers deployed a first Flash zero-day (CVE-2018-4878) against targets in South Korea.