Adobe has issued a critical security update for its Flash Player, addressing a zero-day vulnerability that is currently under active exploitation. This flaw poses significant risks to Windows users, with attacks being specifically aimed at individuals in the Middle East, leveraging crafted Excel documents as vectors for the exploit.
Discovered independently by various cybersecurity firms, the vulnerability—designated CVE-2018-5002—affects Adobe Flash Player versions up to 29.0.0.171 across multiple operating systems, including Windows, macOS, and Linux, as well as Google Chrome’s Flash Player. The threat primarily involves remote code execution facilitated through malicious Office documents that exploit the underlying weaknesses in the Flash Player’s handling of exceptions.
Qihoo 360, one of the firms aiding in the surveillance of the vulnerability, detailed how the exploit works. According to their analysis, the attackers craft a specific Office document that triggers the Flash vulnerability once opened. This leads to malicious payloads being delivered from remote servers. The risk of arbitrary code execution through this vulnerability means that attackers can manipulate targeted systems significantly.
The nature of the vulnerability stems from a stack-based buffer overflow within the Flash Player’s interpreter code. Researchers note that the application fails to adequately manage exceptions tied to try/catch statements, which presents an opening for exploitation. By cleverly leveraging the getlocal and setlocal instructions in the catch block, attackers can read from and write to arbitrary addresses on the stack.
Compounding the gravity of this situation, metadata from the web domain connected to the reported attacks suggests preparatory activities have been in motion since February. The domain mimicked a job search site in the Middle East, likely enabling the command and control (C&C) operations for these zero-day attacks.
In addition to addressing the critical flaw in CVE-2018-5002, Adobe has released patches for two other vulnerabilities categorized as “important”: CVE-2018-5000, an Integer Overflow bug, and CVE-2018-5001, which deals with an Out-of-bounds reading issue. Both vulnerabilities are capable of potentially leading to information disclosures.
As a proactive measure, all users are strongly encouraged to update their Adobe Flash Player to the latest version—30.0.0.113—either through the software’s internal update feature or by visiting the official Adobe Flash Player Download Center.
Given the nature of this vulnerability and the tactics potentially employed in such attacks, relevant strategies from the MITRE ATT&CK framework may include initial access techniques exploiting local file inclusion and remote execution through the delivery of malicious documents. Businesses should remain vigilant, continuously applying updates and maintaining robust cybersecurity practices to counter these emerging threats.
