Adobe has released an emergency update that addresses an actively exploited zero-day flaw in Flash Player that is being used in targeted attacks on Windows users.
The vulnerability, tracked as CVE-2018-5002, is a stack-based buffer overflow vulnerability that allows arbitrary code execution. The flaw has been rated critical.
Several phishing campaigns have been detected that are using Office documents with embedded Flash Player content to download malware. Aside from opening the document, no further user interaction is required. The Flash Player content runs automatically and connects with the attackers C2 server when the document is opened, resulting in the downloading of malware.
The phishing campaigns appear to be targeting companies in Doha, Qatar. ICEBRG, 360 Enterprise Security Group, and Qohoo 360 have been credited with identifying the vulnerability, with the latter indicating the vulnerability is being exploited in a nation-state backed cyberespionage campaign.
The flaw is present in Adobe Flash Player Desktop Runtime, Adobe Flash Player for Google Chrome, Adobe Flash Player for Microsoft Edge and Internet Explorer. Users have been advised to update to the latest version of Flash Player 126.96.36.199 to correct the vulnerability.
A second critical flaw has been corrected in the latest release. CVE-2018-4945 is a type confusion vulnerability identified through Trend Micro’s Zero Day Initiative. The flaw also enables an attacker to execute arbitrary code.
Two further vulnerabilities have been corrected: CVE-2018-5000 is an Integer Overflow flaw and CVE-2018-5001 is an out-of-bounds read vulnerability, both of which have been rated important.
Users of Google Chrome and Microsoft Edge/IE v11 will automatically have the fix downloaded, although that does not appear to have happened at the time of posting. Users of Adobe Flash Player Desktop Runtime for Windows, macOS and Linux will need to upgrade to the latest version of Flash manually. Alternatively, Flash should be disabled or removed.
The update for Adobe Flash Player Desktop Runtime for Linux has been assigned a priority rating of 3; however, on all other platforms the update has been assigned a priority rating of 1 – the highest level.