Adobe has released security updates for Flash Player that address four vulnerabilities, including a critical issue (CVE-2018-5002) that has been exploited in targeted attacks mainly aimed at entities in the Middle East.
The CVE-2018-5002 vulnerability, reported by researchers at ICEBRG and Qihoo 360 and Tencent, is a stack-based buffer overflow that can be exploited by attackers arbitrary code execution.
“Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address critical vulnerabilities in Adobe Flash Player 126.96.36.199 and earlier versions. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the security advisory published by Adobe.
“Adobe is aware of a report that an exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash Player content distributed via email.”
The researcher did not disclose technical details of the vulnerability, but Adobe confirmed that the zero-day was exploited in targeted attacks against Windows users.
Attackers launched spear phishing attacks using messages with weaponized Office documents (Excel spreadsheet named “salary.xlsx) that contain specially crafted Flash content.
“The hackers carefully constructed an Office document that remotely loaded Flash vulnerability. When the document was opened, all the exploit code and malicious payload were delivered through remote servers. This attack mainly targets the Middle East.” reads the analysis published by Qihoo 360.
The Flash Player 188.8.131.52 version also addresses the following vulnerabilities:
This is the second zero-day discovered in 2018, the first Adobe zero-day, tracked as CVE-2018-4878, was patched in February after it was exploited by North Korea-linked nation-state hackers in attacks aimed at South Korea. The flaw was later exploited by different cybercrime gangs.
According to the analysis published by Qihoo 360, attackers were preparing the campaign recently detected at least since February. The C&C domain appears as a job search website in the Middle East and its name leads the experts into believing that the target is located in Doha, Qatar.
“Through analysis, we can see that the attack used a 0-day vulnerability regardless of the cost. The attacker developed sophisticated plans in the cloud and spent at least three months preparing for the attack. The detailed phishing attack content was also tailored to the attack target. All clues show this is a typical APT attack. We suggest all relevant organizations and users to update their Flash to the latest versions in a timely manner. ” concludes Qihoo 360.
(Security Affairs – Adobe, CVE-2018-5002)