Remote Code Execution Vulnerability in Adobe Flash Player

Vulnerability in Adobe

Adobe Flash Player is prone to an unspecified remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected applications. Failed exploit attempts will likely cause a denial-of-service condition. Adobe Flash Player version 28.0.0.137 and prior versions are vulnerable.

Adobe created Flash (formerly called Macromedia Flash and Shockwave Flash) as a platform that allows developers to create vector graphics, animation, browser games, rich Internet applications, desktop applications, mobile applications and mobile games.

According to Adobe:

  • More than 1 billion devices are addressable today with Flash technology
  • More than 20,000 apps in mobile markets, like the Apple App Store and Google Play, are built using Flash technology.
  • 24 of the top 25 Facebook games were built using Flash technology. The top 9 Flash technology-enabled games in China generated over US$70 million a month.
  • More than 3 million developers used the Adobe Flash technology to create engaging interactive and animated web content. But here’s the worrying statistic of the set that Adobe provides on the official page.
  • More than 400 million connected desktops update to the new version of Flash Player within six weeks of release.
  • Six weeks is a very long time when it comes to cybersecurity. In six weeks, millions of Flash users can be compromised. And the worse news is that they usually become victims of cyberattacks.

Millions of people in the world use Flash Player. To most of us, it’s a necessity and we don’t pay much attention to it because it’s that thing that runs in the background that some apps need in order to work.

Adobe Flash is one of the preferred methods that cybercriminals use to attack users worldwide!

And out of those 63 security vulnerabilities, 57 were critical, allowing information exposure, allowing attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors or to execute arbitrary code.

Summary:

A critical vulnerability (CVE-2018-4878) exists in Adobe Flash Player 28.0.0.137 and earlier versions. Successful exploitation could potentially allow an attacker to take control of the affected system.

Vulnerability in Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.

For the latest information, users may monitor the Adobe Product Security Incident Response Team.

Affected Product Versions

ProductVersionPlatform
Adobe Flash Player Desktop Runtime28.0.0.137 and earlier versionsWindows, Macintosh
Adobe Flash Player for Google Chrome28.0.0.137 and earlier versionsWindows, Macintosh, Linux and Chrome OS 
Adobe Flash Player for Microsoft Edge and Internet Explorer 1128.0.0.137 and earlier versionsWindows 10 and 8.1
Adobe Flash Player Desktop Runtime28.0.0.137 and earlier versionsLinux

Threat Attribution:

We assess that the actors employing this latest Flash zero-day are a suspected North Korean group tracked as TEMP.Reaper. From observations, TEMP.Reaper operators directly interact with their command and control infrastructure from IP addresses assigned to the STAR-KP network in Pyongyang. The STAR-KP network is operated as a joint venture between the North Korean Government’s Post and Telecommunications Corporation and Thailand-based Loxley Pacific. Historically, majority of their targeting has been focused on the South Korean government, military, and defence industrial base; however, they have expanded to other international targets in the last year. They have taken interest in subject matter of direct importance to the Democratic People’s Republic of Korea (DPRK) such as Korean unification efforts and North Korean defectors.

In the past year, FireEye iSIGHT Intelligence discovered a newly developed wiper malware being deployed by TEMP.Reaper, which they detect as RUHAPPY. From the observations, other suspected North Korean threat groups such as TEMP.Hermit employed wiper malware in disruptive attacks, which has not been observed being used by TEMP.Reaper against any of their targets.
Attack Scenario:

Analysis of the exploit chain is ongoing, but available information points to the Flash zero-day being distributed in a malicious document or spreadsheet with an embedded SWF file. Upon opening and successful exploitation, a decryption key for an encrypted embedded payload would be downloaded from compromised third party websites hosted in South Korea. Preliminary analysis indicates that the vulnerability was likely used to distribute the previously observed DOGCALL malware to South Korean victims.

Recommendations:

We recommend that customers use extreme caution, especially when visiting South Korean sites, and avoid opening suspicious documents, especially Excel spreadsheets. Due to the publication of the vulnerability prior to patch availability, it is likely that additional criminal and nation state groups will attempt to exploit the vulnerability in the near term.

Adobe advises users to enable Protected View so they open documents in read-only mode, and a post on GHacks explains how to do it.

Research by Kiran

References:

https://heimdalsecurity.com/

blogs.adobe.com

https://www.fireeye.com/

GHACKS