Today Adobe disclosed a new Flash zero-day, releasing a patch for the critical vulnerability in an out-of-band update. Successful exploitation gives attackers the ability to execute arbitrary code on the targeted machine, and eventually assume full system control. Morphisec customers are already protected from attacks exploiting this vulnerability.
On November 29, researchers at Qihoo 360 discovered two APT attacks exploiting the zero-day. The attacks use a malicious Microsoft Office document with the zero-day embedded as a Flash ActiveX object and include several evasive techniques to avoid detection by security solutions. At the time of publication, only one of the security solutions on Virus Total was able to stop the exploit. Adobe has assigned the identifier CVE-2018-15982 to the zero-day.
CVE-2018-15982 is yet another use-after-free vulnerability (Morphisec predicted the rise of these types of vulnerabilities in Q1), implemented in a way very similar to CVE-2018-4878. While the trigger is metadata in com.adobe.tvsdk, the code is not obfuscated, easily reproducible and fully contained within a single file. This is very different from many delivery methods of advanced exploits in which the critical exploit component or its decryption key is maintained remotely. This could be due to the need to keep it simple and not trigger security vendors based on obfuscation only.
This latest Flash vulnerability is likely to become the new favorite of cybercriminals. Most enterprises will not patch the vulnerability for months. Like the Flash vulnerability CVE-2018-4878, we anticipate CVE-2018-15982 will soon become a staple of exploit kits.
Morphisec Prevents Exploitation of CVE-2018-15892
Morphisec customers never had to worry about this zero-day. Watch as our Moving Target Defense technology stops the attack before it can even start.
Contact one of our security experts to learn how Morphisec keeps your business safe from zero-days and advanced evasive attacks.