Adobe releases fix for actively exploited Flash Player zero-day

If you’re still using Flash Player, it’s time to update it again – and quickly: Adobe has just patched a critical zero day vulnerability (CVE-2018-5002) actively exploited in the wild.

The attacks are “limited, targeted attacks against Windows users,” but updates (v30.0.0.113 for all platforms) are available for Adobe Flash Player for Windows, macOS, Linux and Chrome OS.

CVE-2018-5002

About CVE-2018-5002 and the attacks

It is a stack-based buffer overflow vulnerability that has been independently discovered by Qihoo 360, ICEBRG and Tencent researchers.

This attack mainly targets the Middle East, Qihoo 360 researchers noted. The file that delivers the exploit is named ***salary.xls. The file’s content is consistent with the title, is in Arabic (it is believed that the targets are in Qatar) and shows salaries for various time periods.

“The attack loads Adobe Flash Player from within Microsoft Office, which is a popular approach to Flash exploitation since Flash is disabled in many browsers. Attackers typically embed a Flash file within a document, which may contain the entire exploit, or may stage the attack to download exploits and payloads more selectively (e.g. APT28/Sofacy DealersChoice). This leaves, at a minimum, a small Flash loader that defenders can flag for detection and analysts can fingerprint for tracking,” ICEBRG researchers explained.

“Contrary to typical tactics, this attack uses a lesser-known feature that remotely includes the Flash content instead of directly embedding it within the document”.

Once the document was opened, the exploit code and malicious payload were delivered from remote servers.

Flash Player updates

The Flash Player updates contain also fixes for three additional flaws, one of which can also lead to arbitrary code execution.

Users who have selected the option to “Allow Adobe to install updates” will receive the update automatically. Users who haven’t done that can install the update via the update mechanism within the product. Another option is to remove Flash Player altogether from their machines.

Don't miss