[U] North Korea Has Been Exploiting a Flash Player 0-Day Since November – Grants Attackers Full Control (Patch Unavailable)
It's 2018 and Flash Player vulnerabilities are still being exploited in the wild. South Korean authorities have released a warning against a new Flash zero day spotted in the wild. Security researchers suggest that the North Korean hackers are responsible for exploiting this Flash Player zero day targeting South Korean individuals who focus on researching North Korea.
The South Korean Computer Emergency Response Team (KR-CERT) in its warning said that an "attacker may be able to convince a user to open a Microsoft Office document, web page, or spam mail containing a Flash file." The Word or Excel document embeds a Flash SWF file. From this warning, it appears that the bug hasn't been addressed by Adobe as yet, which means systems elsewhere could also be at risk.
KR-CERT said that Adobe Flash Player ActiveX 126.96.36.199 and earlier are vulnerable to this new zero day bug. It should be noted that 188.8.131.52 is the current version of the software.
New Adobe Flash Player Zero Day Spotted in the Wild
South Korean security researcher, Simon Choi, said that North Korean threat actors have been exploiting this Flash Player zero day since mid November, 2017. The attacks primarily target South Korean researchers focused on North Korea.
Flash 0day vulnerability that made by North Korea used from mid-November 2017. They attacked South Koreans who mainly do research on North Korea. (no patch yet) pic.twitter.com/bbjg1CKmHh
— Simon Choi (@issuemakerslab) February 1, 2018
Since it's a zero day bug, details remain scarce as Adobe rushes to deliver a quick fix, likely ahead of the scheduled Patch Tuesday releases. In the meantime, KR-CERT has shared the following temporary recommendations (translated via Google Translate):
- Until Adobe releases a security patch for the vulnerability, Flash Player 'removal
- Control Panel - uninstall or change a program] to remove Adobe Flash Player.
- the security updates that were released during re-known
users in order to reduce the damage caused by o vulnerability to comply with the following:
- do not trust the website Scion visits
- source does not open an unknown email attachment viewing prohibited and links
- used to keep the latest updates of antivirus programs, and enable real-time monitoring
- using Firefox (FireFox) is recommended
While a very poor translation, the tips are what security experts have always shared: remove Flash Player if not needed, never open suspicious email attachments or download anything from unknown sources / sites.
We will update this space as a fix is delivered by Adobe or more details about this bug are shared.
[Update]: Adobe responds
Adobe has published an advisory, tracking the zero day bug with CVE-2018-4878. Rated critical, the vulnerability can enable attackers to take full control of the affected system. "Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users," the company said. "These attacks leverage Office documents with embedded malicious Flash content distributed via email."
The patch is planned for the week of February 5. "Beginning with Flash Player 27, administrators have the ability to change Flash Player's behavior when running on Internet Explorer on Windows 7 and below by prompting the user before playing SWF content," the company spokesperson said. "For more details, see this administration guide. Administrators may also consider implementing Protected View for Office. Protected View opens a file marked as potentially unsafe in Read-only mode."