Stop us if you've heard this one: Adobe Flash gets emergency patch for zero-day exploit
The internet's screen door gets kicked open once again
Adobe has kicked out an out-of-band update for a security vulnerability in Flash – after learning the bug was being actively exploited in the wild by hackers to hijack PCs.
The Photoshop giant said today its Flash Player 18.104.22.168 update should be a top installation priority for Mac, Windows, and Linux systems.
One of the vulnerabilities addressed in the patch, CVE-2018-5002, is a remote code execution flaw stemming from a buffer overflow bug. Computer security experts believe the flaw is being exploited right now by miscreants to commandeer victims' PCs.
"Adobe is aware of a report that an exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users," a spokesperson for the Creative Cloud goliath said.
"These attacks leverage Office documents with embedded malicious Flash content distributed via email."
According to researchers at security shop Icebrg, the attacks have been concentrated in the Middle East, quite possibly against individuals in Qatar. In this case, the Flash code flaw is exploited via the ActiveX plugin for Office. Marks are sent an Excel spreadsheet that purports to contain salary information, but when opened pulls up Flash and executes the exploit code.
"The attack loads Adobe Flash Player from within Microsoft Office, which is a popular approach to Flash exploitation since Flash is disabled in many browsers," explained Icebrg in its summary of the attack.
"Attackers typically embed a Flash file within a document, which may contain the entire exploit, or may stage the attack to download exploits and payloads more selectively."
Nork hackers exploit Flash bug to pwn South Koreans. And Adobe will deal with it next weekREAD MORE
In addition to the hidden zero-day exploit code, Team Icebrg said the malicious documents can be spotted through their use of a mismatched Let's Encrypt HTTPS certificate, and relies on a number of recently created domain names from a hosting provider that has been previously associated with malware operations.
"While this attack leveraged a zero-day exploit, individual attacker actions do not happen in isolation," the researchers wrote.
"There are several other behavioral aspects that can be used for detection."
In addition to CVE-2018-5002, the Flash update addresses a remote code execution flaw from a type confusion error (CVE-2018-4945), and two information disclosure flaws triggered by an integer overflow (CVE-2018-5000) and an out-of-bounds read error (CVE-2018-5001).
Needless to say, users and administrators should test and install the updates as quickly as possible. ®