Priority: High
Executive Summary: A new vulnerability discovered in Adobe Flash is being exploited in the wild, which can be exploited by attackers to execute arbitrary code. Adobe have addressed this vulnerability with the release of Flash Player 32.0.0.101 for Windows, macOS, Linux, and Chrome OS (CVE-2018-15982).
The vulnerability was discovered being exploited through a Flash Active X object embedded inside a Word document, which was found uploaded to VirusTotal. This document may have been distributed through a spear phishing campaign. The document is designed to look like an application form for a Russian medical clinic. Once the vulnerability is exploited, the malware attempts to download a payload which collects systems information, creates persistence, and begins relaying information to a command and control center.
In addition to this, a further vulnerability within Adobe Flash Player installer (for Windows) has been found. This vulnerability allows privilege escalation and exists due to insecure handling of loaded DLLs. There are no known reports that this second vulnerability, CVE-2018-15983, is being exploited in the wild but can be mitigated by applying the patch version 31.0.0.122.
Detect: The version of Adobe Flash Player installed can be found by right-clicking on content running in Flash player and selecting “About Adobe Flash Player”. If multiple browsers are used, this will need to be performed individually on each browser.
Affected Products:
The following products are affected by CVE-2018-15982:
- Adobe Flash Player Desktop Runtime, 31.0.0.153 and earlier versions; Windows, macOS and Linux.
- Adobe Flash Player for Google Chrome, 31.0.0.153 and earlier versions; Windows, macOS, Linux and Chrome OS.
- Adobe Flash Player for Microsoft Edge and Internet Explorer 11, 31.0.0.153 and earlier versions; Windows 10 and 8.1.
The following product is affected by CVE-2018-15983:
- Adobe Flash Player Installer, 31.0.0.108 and earlier; Windows.
Prevent: As these vulnerabilities have been patched in updates released by Adobe, exploitation of the vulnerabilities can be prevented by updating to the latest versions of the affected Adobe products.
React: Adobe have released patches for CVE-2018-15982 and CVE-2018-15983. It is advised that these updates are tested and installed as soon as possible. To learn how to update Flash Player and the Flash Player Installer, visit Adobe’s Security Bulletin on the vulnerabilities:
https://helpx.adobe.com/security/products/flash-player/apsb18-42.html
Sources:
[1] https://www.theregister.co.uk/2018/12/05/flash_zeroday_adobe/
[2] https://threatpost.com/adobe-patches-zero-day-vulnerability-in-flash-player/139629/
[3] https://www.zdnet.com/article/adobe-releases-out-of-band-security-update-for-newly-discovered-flash-zero-day/
[4] https://helpx.adobe.com/security/products/flash-player/apsb18-42.html
[5] https://atr-blog.gigamon.com/2018/12/05/adobe-flash-zero-day-exploited-in-the-wild/
[6] https://www.scmagazine.com/home/security-news/adobe-fixes-zero-day-flash-bug-after-attackers-target-russian-clinic-with-exploit/
