[Updated] Security updates released by Adobe on Thursday for Flash Player patch four vulnerabilities, including a critical flaw that has been exploited in targeted attacks.
The vulnerability that has been exploited in the wild is tracked as CVE-2018-5002, and it has been described by Adobe as a stack-based buffer overflow that can be leveraged for arbitrary code execution.
The security hole was independently reported to Adobe by researchers at ICEBRG, Qihoo 360 and Tencent.
The researchers have yet to share any details, but Adobe did mention that CVE-2018-5002 has been exploited in limited, targeted attacks against Windows users. Hackers deliver the exploit via malicious Office documents that include specially crafted Flash content. The documents are distributed via email.
The latest version of Flash Player, 126.96.36.199, also patches a critical type confusion vulnerability that can lead to code execution (CVE-2018-4945), an “important” severity integer overflow that can result in information disclosure (CVE-2018-5000), and an “important” out-of-bounds read issue that can also lead to information disclosure (CVE-2018-5001).
CVE-2018-5000 and CVE-2018-500 were reported anonymously through Trend Micro’s Zero Day Initiative (ZDI), while CVE-2018-4945 was reported to Adobe by researchers at Tencent.
Despite Adobe’s plans to kill Flash Player by 2020, threat actors apparently still find zero-day vulnerabilities highly useful.
UPDATE. According to the Advanced Threat Response Team at 360 Core Security, which discovered the Flash exploit on June 1, attacks involving CVE-2018-5002 appear to be mainly aimed at entities in the Middle East.
The exploit has been delivered using a specially crafted Excel spreadsheet named “salary.xlsx,” which includes salary information written in Arabic. A malicious SWF file that contains the zero-day exploit is downloaded from a remote server once the spreadsheet is opened. Researchers say the goal is to download a Trojan, but they have not provided any information on the malware.
Data collected from the command and control (C&C) server suggests that hackers have been making preparations for the attack since February. The C&C domain is designed to mimic a job search website in the Middle East and its name suggests that the target is located in Doha, Qatar.
360 Core Security has published technical details on CVE-2018-5002, which makes it easier for other threat groups to start exploiting the flaw.
UPDATE 2. ICEBRG’s Security Research Team (SRT) has also published a blog post detailing the attack and the Flash Player vulnerability.