Flash Player logo

Adobe has issued a security update for Flash Player today to patch a zero-day vulnerability exploited by attackers in the wild.

The vulnerability was discovered and independently reported by several security firms —ICEBRG, Tencent, and two security divisions from Chinese cyber-security giant Qihoo 360.

The vulnerability, tracked as CVE-2018-5002, impacts Adobe Flash Player 29.0.0.171 and earlier versions. It was fixed with the release of Flash Player 30.0.0.113.

Flash zero-day exploited via Office files

According to Qihoo 360 Core Security, attackers used the Flash zero-day for attacks against targets in the Middle East. It is believed that a nation-state-backed cyber-espionage group is behind the attacks.

"We boldly suspected that the targeted region is Doha, Qatar," Qihoo 360 Core said today in a blog post detailing the zero-day.

Experts say the hackers used Office files to exploit this Flash zero-day. Attackers would deliver Office files to victims that would load a malicious SWF file from a remote server and execute it inside the Office document.

Flash zero-day CVE-2018-5002

The malicious SWF file would exploit CVE-2018-5002 to gain the ability to execute code on the user's PC, and later infect him with another strain of malware.

ICEBRG says the vulnerabilities triggers "with little or no user interaction other than opening the document." Detecting the attacks with this zero-day is also hard because the " document by itself does not contain any malicious code," and all the malicious code is downloaded at a second stage.

Zero-day attacks in the making for three months

"The attacker developed sophisticated plans in the cloud and spent at least three months preparing for the attack. The detailed phishing attack content was also tailored to the attack target," Qihoo experts said. "All clues show this is a typical APT attack."

"We suggest all relevant organizations and users to update their Flash to the latest versions in a timely manner."

According to Will Dormann of CERT/CC, besides patching the actual flaw, Adobe also added an additional dialog window that asks users if they want to load remote SWF files inside Office documents. The prompt mitigation also comes to fix a problem with Office apps, where Flash content is sometimes downloaded automatically, without prompting the user in advance.

Besides CVE-2018-5002, today's Adobe Flash update also contains fixes for three other vulnerabilities. Flash Player updates are available for Windows, Mac, Linux, and Chrome OS users.

Vulnerability Category Vulnerability Impact Severity CVE Number
Type Confusion Arbitrary Code Execution Critical CVE-2018-4945
Integer Overflow Information Disclosure Important CVE-2018-5000
Out-of-bounds read Information Disclosure Important CVE-2018-5001
Stack-based buffer overflow Arbitrary Code Execution Critical CVE-2018-5002

This is the second Flash Player zero-day spotted this year. In January, North Korean hackers deployed a first Flash zero-day (CVE-2018-4878) against targets in South Korea.

Related Articles:

Google fixes Chrome zero-days exploited at Pwn2Own 2024

Google: Spyware vendors behind 50% of zero-days exploited in 2023

Mozilla fixes two Firefox zero-day bugs exploited at Pwn2Own

Russian hackers target German political parties with WineLoader malware

Hackers earn $1,132,500 for 29 zero-days at Pwn2Own Vancouver