Researchers have discovered yet another zero-day vulnerability in the Adobe Flash Player that has been actively exploited in the Middle East. Shortly after the vulnerability’s revelation, Adobe released security updates to its Flash Player for Windows, macOS, Linux, and Chrome OS.
ICEBRG, a network security company, said in a blog post that the vulnerability lets malicious Flash objects to execute code on targeted devices. This allows the attackers to “execute a range of payloads and actions” depending on their intentions. The vulnerability has received the CVE identification of CVE-2018-5002, but it hasn’t been listed on the official CVE website or the National Vulnerability Database (NVD).
According to ICEBRG, this zero-day vulnerability has been exploited in the Middle East via Microsoft Office documents that are used to download and execute a Flash exploit on target devices. The company said this approach differs from other Office-delivered Flash exploits in that it “uses a lesser-known feature to remotely include all SWF content from the attacker’s server instead of embedding it directly in the document.”
Attackers shifted away from delivering Flash exploits via malicious websites after browser-makers improved their security. Instead, many have opted to use Office documents to infect target devices because the Office suite doesn’t feature the same protections. Many people also come across countless Office documents, and unless they’ve been explicitly told not to, chances are good that they’ll download one regardless of its source.
ICEBRG said it notified Adobe of this zero-day vulnerability on June 1; the patches were released on June 7. Of course, Adobe’s no stranger to having to quickly respond to zero-day vulnerabilities found in Flash, given that it had to patch a different one earlier this year. (And has reacted to countless others in the years prior.) Just take comfort in knowing that Flash is set to stop being a thing in 2020.