Flash Player May Be Dying But There’s No Stopping Its Zero-Days
Flash Player is breathing its last few moments but that isn't stopping criminals to leverage its security flaws for attacks in the wild. Adobe has issued a security update for Flash Player today to deliver a patch for a zero-day vulnerability that has already been exploited by threat actors in targeted attacks against Windows users.
The zero-day vulnerability tracked as CVE-2018-5002 is a stack-based buffer overflow that can be exploited for arbitrary code execution. The critical flaw affects Adobe Flash Player 184.108.40.206 and earlier versions. Flash Player version 220.127.116.11 fixes the flaw.
"Adobe is aware of a report that an exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users," the company wrote.
"These attacks leverage Office documents with embedded malicious Flash Player content distributed via email."
The updated version 18.104.22.168 is available for Windows, Linux, macOS, and ChromeOS.
Today's Flash Player update also fixes three other security flaws
Flash Player 22.214.171.124 also brings patches for a critical type confusion vulnerability that can lead to code execution (tracked as CVE-2018-4945 and rated "critical" in severity), an integer overflow that can result in information disclosure (tracked as CVE-2018-5000 and rated "important"), and finally an out-of-bounds read vulnerability leading to information disclosure (tracked as CVE-2018-5001 and rated as "important" in severity).
Adobe has acknowledged "Jihui Lu of Tencent KeenLab and willJ of Tencent PC Manager working with Trend Micro's Zero Day Initiative" for reporting CVE-2018-4945; an anonymous reporter for CVE-2018-5000 and CVE-2018-5001; and Chenming Xu and Jason Jones ICEBRG, Bai Haowen, Zeng Haitao and Huang Chaowen of 360 Threat Intelligence Center of 360 Enterprise Security Group, and Yang Kang, Hu Jiang, Zhang Qing, and Jin Quan of Qihoo 360 Core Security for independently identifying and reporting CVE-2018-5002 that has been seen exploited in the wild.
Adobe plans to kill Flash Player by 2020. However, criminals continue to use its flaws in a wide range of attacks. While zero-days used to be quite a routine for Flash Player, the usage has significantly reduced in the past one year, fueling fewer attacks. Even then, this is the second zero-day being fixed by Adobe this year.
- ICEBRG reports this zero-day has been used in targeted attacks in the Middle East; more information here.