Adobe disclosed that a Flash zero-day was being exploited in targeted attacks against Windows users. The critical vulnerability was discovered and independently reported by several security firms. Successful exploitation of the vulnerability allows arbitrary code execution which can ultimately lead to an attacker assuming full system control.
On June 1, researchers at several security firms independently reported to Adobe an attack leveraging a new Flash zero-day vulnerability. Adobe issued an emergency patch on June 7 which also included fixes for three other Flash vulnerabilities. There have been no reported attacks leveraging the other three flaws.
Qihoo reported on the zero-day attack in their blog on June 8 as did researchers at security firm ICEBRG. CVE-2018-5002 is a stack-based buffer overflow vulnerability that can be exploited to allow the running of any arbitrary code. According to the Qihoo researchers, the initial attack was mainly against targets in the Middle East.
Very few organizations can apply updates across all systems immediately upon patch release. Attackers stand ready to exploit unpatched systems. It is likely that this critical vulnerability will soon be incorporated in exploit kits that have a much broader reach than the initial attack.
Victims receive a phishing email containing a Microsoft Excel document with an embedded remote Flash file link. The Excel file itself contains no malicious code that can be detected. When the victim opens the Office Document, the trojanized Shock Wave File is automatically downloaded from the attacker’s command-and-control servers and executed. Following its execution, the Flash code exploits the vulnerability, allowing it to run and execute shell code, which ultimately lets an attacker run arbitrary code to take full control of the victim’s machine.
Morphisec customers are protected against such attacks right out of the box, without any need for an update. Any attack attempting to exploit the Flash vulnerability will fail as the exploit cannot utilize the vulnerability to execute arbitrary code.
For non-Morphisec customers, it is recommended to immediately upgrade your Adobe Flash version and disable macros in Microsoft Office.