CONFERENCE Watch Now: Threat Detection & Incident Response (TDIR) Summit - Watch Event On-Demand
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Adobe Patches Flash Zero-Day Exploited in Targeted Attacks

[Updated] Security updates released by Adobe on Thursday for Flash Player patch four vulnerabilities, including a critical flaw that has been exploited in targeted attacks.

[Updated] Security updates released by Adobe on Thursday for Flash Player patch four vulnerabilities, including a critical flaw that has been exploited in targeted attacks.

The vulnerability that has been exploited in the wild is tracked as CVE-2018-5002, and it has been described by Adobe as a stack-based buffer overflow that can be leveraged for arbitrary code execution.

The security hole was independently reported to Adobe by researchers at ICEBRG, Qihoo 360 and Tencent.

The researchers have yet to share any details, but Adobe did mention that CVE-2018-5002 has been exploited in limited, targeted attacks against Windows users. Hackers deliver the exploit via malicious Office documents that include specially crafted Flash content. The documents are distributed via email.

The latest version of Flash Player, 30.0.0.113, also patches a critical type confusion vulnerability that can lead to code execution (CVE-2018-4945), an “important” severity integer overflow that can result in information disclosure (CVE-2018-5000), and an “important” out-of-bounds read issue that can also lead to information disclosure (CVE-2018-5001).

CVE-2018-5000 and CVE-2018-500 were reported anonymously through Trend Micro’s Zero Day Initiative (ZDI), while CVE-2018-4945 was reported to Adobe by researchers at Tencent.

Despite Adobe’s plans to kill Flash Player by 2020, threat actors apparently still find zero-day vulnerabilities highly useful.

This is the second zero-day discovered in 2018. The first was patched in February after North Korean hackers exploited it for several months in attacks aimed at South Korea.

Advertisement. Scroll to continue reading.

UPDATE. According to the Advanced Threat Response Team at 360 Core Security, which discovered the Flash exploit on June 1, attacks involving CVE-2018-5002 appear to be mainly aimed at entities in the Middle East.

The exploit has been delivered using a specially crafted Excel spreadsheet named “salary.xlsx,” which includes salary information written in Arabic. A malicious SWF file that contains the zero-day exploit is downloaded from a remote server once the spreadsheet is opened. Researchers say the goal is to download a Trojan, but they have not provided any information on the malware.

Data collected from the command and control (C&C) server suggests that hackers have been making preparations for the attack since February. The C&C domain is designed to mimic a job search website in the Middle East and its name suggests that the target is located in Doha, Qatar.

360 Core Security has published technical details on CVE-2018-5002, which makes it easier for other threat groups to start exploiting the flaw.

UPDATE 2. ICEBRG’s Security Research Team (SRT) has also published a blog post detailing the attack and the Flash Player vulnerability.

Related: Adobe Patches Flash Zero-Day Exploited by North Korean Hackers

Related: Middle East Group Uses Flash Zero-Day to Deliver Spyware

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Jeremy Koppen has left Mandiant after 13 years to become the CISO of Equifax.

Engineering and technology solutions provider Amentum has appointed Max Shier as its CISO.

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.