According to the alert published by the KISA, the vulnerability affects the latest Flash Player version 18.104.22.168 and earlier.
The zero-day vulnerability could be exploited by an attack by tricking victims into opening a document, web page or email containing a specially crafted Flash file.
“A zero-day vulnerability has been found in Adobe Flash Player. An attacker may be able to convince a user to open a Microsoft Office document, web page, or spam mail containing a Flash file,” reads the advisory published by the Korean CERT.
According to the researcher Simon Choi the Flash Player zero-day has been exploited by North Korea since mid-November 2017. The attackers exploited the zero-day vulnerability in attacks aimed at South Korean individuals involved in research activity on North Korea.
Hackers exploited the vulnerability to deliver a malware, in the image shared by Choi on Twitter shows that the exploit has been delivered via malicious Microsoft Excel files.
Flash 0day vulnerability that made by North Korea used from mid-November 2017. They attacked South Koreans who mainly do research on North Korea. (no patch yet) pic.twitter.com/bbjg1CKmHh
— Simon Choi (@issuemakerslab) February 1, 2018
According to Adobe, the flaw is a critical use-after-free that allows remote code execution that received the code CVE-2018-4878.
The zero-day has been exploited in limited, surgical attacks against Windows users, Adobe plans to release a security update for the next week.
“A critical vulnerability (CVE-2018-4878) exists in Adobe Flash Player 22.214.171.124 and earlier versions. Successful exploitation could potentially allow an attacker to take control of the affected system.” reads the security advisory published by Adobe.
“Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.”
Waiting for the security updates, users should implement mitigations.
“Beginning with Flash Player 27, administrators have the ability to change Flash Player’s behavior when running on Internet Explorer on Windows 7 and below by prompting the user before playing SWF content,” Adobe suggests. “Administrators may also consider implementing Protected View for Office. Protected View opens a file marked as potentially unsafe in Read-only mode.”
(Security Affairs – Flash Zero-Day, North Korea)