Latest Flash 0day exploit delivered via booby-trapped Office file

Four days have passed since Adobe patched the latest Flash Player 0day vulnerability exploited in attacks in the wild and, in the meantime, we have been given more details about the attacks and the exploit used.

Genwei Jiang, the FireEye researcher who has been credited, along with several others, with the discovery of the flaw (CVE-2016-4117), says that the initial attacks were leveraged against targets running Windows and Microsoft Office.

“Attackers had embedded the Flash exploit inside a Microsoft Office document, which they then hosted on their web server, and used a Dynamic DNS (DDNS) domain to reference the document and payload. With this configuration, the attackers could disseminate their exploit via URL or email attachment,” he explained.

Victims would open the malicious Office document, and be shown a decoy one, while the Flash exploit encoded in the file would be delivered and ultimately lead to the download of malware.

Additional technical details about the flaw and the exploit can be found in this blog post.

Users who have failed to implement the patch are urged to do so as soon as possible, especially if they use Windows and MS Office.

“Additionally, Flash Player users could consider employing additional mitigations, such as EMET from Microsoft, to make their systems more difficult and costly to exploit,” says Jiang.

Alternatively, they could get rid of Flash Player if they don’t need it.

Coincidentally, it was revealed last week that Google is planning to phase out full support for Flash player on its Chrome browser by the end of 2016.