Adobe has issued a security update for Flash Player today to patch a zero-day vulnerability exploited by attackers in the wild.
The vulnerability was discovered and independently reported by several security firms —ICEBRG, Tencent, and two security divisions from Chinese cyber-security giant Qihoo 360.
The vulnerability, tracked as CVE-2018-5002, impacts Adobe Flash Player 18.104.22.168 and earlier versions. It was fixed with the release of Flash Player 22.214.171.124.
Flash zero-day exploited via Office files
According to Qihoo 360 Core Security, attackers used the Flash zero-day for attacks against targets in the Middle East. It is believed that a nation-state-backed cyber-espionage group is behind the attacks.
“We boldly suspected that the targeted region is Doha, Qatar,” Qihoo 360 Core said today in a blog post detailing the zero-day.
Experts say the hackers used Office files to exploit this Flash zero-day. Attackers would deliver Office files to victims that would load a malicious SWF file from a remote server and execute it inside the Office document.
The malicious SWF file would exploit CVE-2018-5002 to gain the ability to execute code on the user’s PC, and later infect him with another strain of malware.
Zero-day attacks in the making for three months
“The attacker developed sophisticated plans in the cloud and spent at least three months preparing for the attack. The detailed phishing attack content was also tailored to the attack target,” Qihoo experts said. “All clues show this is a typical APT attack.”
“We suggest all relevant organizations and users to update their Flash to the latest versions in a timely manner.”
Besides CVE-2018-5002, today’s Adobe Flash update also contains fixes for three other vulnerabilities. Flash Player updates are available for Windows, Mac, Linux, and Chrome OS users.
|Vulnerability Category||Vulnerability Impact||Severity||CVE Number|
|Type Confusion||Arbitrary Code Execution||Critical||CVE-2018-4945|
|Integer Overflow||Information Disclosure||Important||CVE-2018-5000|
|Out-of-bounds read||Information Disclosure||Important||CVE-2018-5001|
|Stack-based buffer overflow||Arbitrary Code Execution||Critical||CVE-2018-5002|
This is the second Flash Player zero-day spotted this year. In January, North Korean hackers deployed a first Flash zero-day (CVE-2018-4878) against targets in South Korea.