Adobe issues emergency patch for new, critical zero-day Flash flaw

Adobe has issued an emergency patch for a new critical zero-day affecting Flash players that is actively being exploited in the wild, along with three other vulnerabilities. The critical Flash player vulnerability (CVE-2018-5002), is a stack-based buffer overflow flaw in the Flash player version 29.0.0.171 that could allow the attacker to perform arbitrary code execution.

The vulnerability affects Flash Player Desktop Runtime (Windows, Macintosh, and Linux platforms) Flash Player for Google Chrome (Windows, Macintosh, Linux and Chrome OS platforms), and Adobe Flash Player for Microsoft Edge and Internet Explorer 11 (Windows 10 and 8.1 platforms).

According to Adobe, the vulnerability was discovered and reported by three different security firms including ICEBRG, 360 Threat Intelligence Center of 360 Enterprise Security Group, and Qihoo 360 Core Security.

The attackers use carefully created Microsoft Office documents sent via phishing emails to exploit the Adobe Flash vulnerability. Once a user opens the Shockwave Flash file, it downloads the malicious exploit to perform code execution on the system. The file then connects to the c&c server by executing a shellcode.

“Typically, the final payload consists of shell code that provides backdoor functionality to the system or stages additional tools,” ICEBRG researchers said. "The vulnerabilities triggers with little or no user interaction other than opening the document."

They also noted that detecting attacks with this zero-day is difficult because the “document by itself does not contain any malicious code," and all the malicious code is downloaded at a second stage.

Qihoo researchers believe state-sponsored or state-backed cyber espionage attackers are leveraging the zero-day against targets in the Middle East.

"We boldly suspected that the targeted region is Doha, Qatar," Qihoo 360 Core said in a blog post which analyzed the bug.

"The attacker developed sophisticated plans in the cloud and spent at least three months preparing for the attack. The detailed phishing attack content was also tailored to the attack target. All clues show this is a typical APT attack. We suggest all relevant organizations and users to update their Flash to the latest versions in a timely manner."

Security researchers have urged users to immediately update their Adobe Flash players to the latest version 30.0.0.113.

"Adobe also added an additional dialog window that asks users if they want to load remote SWF files inside Office documents besides patching the actual flaw," Will Dormann of CERT/CC said in a Twitter post.

The newly discovered zero-day comes as the second one affecting Flash Player this year after North Korean hackers were caught exploiting CVE-2018-4878 against targets in South Korea.

Adobe also patched three other important vulnerabilities, namely CVE-2018-4945, which could allow for arbitrary code execution, and other two others - CVE-2018-5000 and CVE-2018-5001 - could lead to information disclosure.