Adobe has been forced to release an out-of-schedule emergency security patch to its users, after a zero-day vulnerability was discovered to affect Adobe Flash Player. Users are being urged by Adobe to update to version 30.0.0.113 of Flash Player, which contains mitigations for the zero-day as well as addressing three other flaws. This latest flaw was discovered already being used in the wild to attack Windows users, and doesn’t exploit browsers like typical Flash exploits – instead, it works through Microsoft Office documents which it utilises to download and execute malicious code.
Most Flash exploits take advantage of web browsers, however this zero-day utilises Office documents and is usually received through phishing emails
“Adobe is aware of a report that an exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users,” a spokesperson for the company said. “These attacks leverage Office documents with embedded malicious Flash content distributed via email.”
Attacks arrive as emails with attached Microsoft Office documents containing embedded malicious Flash Player content. The attack loads Adobe Flash from within Microsoft Office, a common approach to Flash exploitation since most people have Flash disabled in the browser. An embedded Flash file in the document might contain the full exploit or set the stage for the attack to selectively download exploits and payloads.
The flaw was discovered by researchers at security firms Iceberg and Qihoo 360 Core Security, which have provided separate analyses of the techniques. Iceberg also notes that the remote inclusion helps evade detection because the document doesn’t contain any malicious code. Hence, most anti-virus programs will not detect this when it hits your inbox or downloads folder.
Both firms suspect the targets are based in Qatar as the malicious Excel document was uploaded to online virus databases from an IP address in Qatar, and the Excel file’s Arabic language contents suggest the targets include anyone who would be interested in salaries at an embassy with pay details for secretaries, ambassadors, and diplomats.
Iceberg also points to a few key indicators that could suggest a machine is under attack. Alone, these might not indicate a threat, but multiple indicators could suggest malicious activity. Signs include the use of newly registered domains and low-reputation infrastructure, staged downloads of Flash, a newly observed “Let’s Encrypt” certificate from a free provider, and Office documents embedding Flash using remote inclusion.
As with most modern malware, email is the preferred attack vector, with the only line of defense between the hackers and your company being the end-user sitting at their desk. As this type of Flash vulnerability will not be flagged by email filtering systems or anti-virus software, it will come down to the training that each individual who receives this email has been provided by their company.
In a modern cyber security environment where physical firewalls are frequently failing to keep major threats out of the networks they protect, many businesses are implementing a so-called ‘human firewall’, through training all their staff to recognise and correctly deal with phishing and scam emails that may contain malware.