Windows users attacked via critical Flash zero-day: Patch now, urges Adobe

Adobe issues security update for critical zero-day Flash Player flaw that attackers are exploiting via Excel docs.
Written by Liam Tung, Contributing Writer

Video: A brief history of Adobe Flash.

Advanced hackers have demonstrated that you really don't need browsers to exploit Flash Player vulnerabilities on Windows. Office does the job just fine.

Adobe has released an update to address a critical flaw affecting Flash Player that is actively being exploited, otherwise known as a zero-day flaw.

Adobe is urging users to update from Adobe Flash Player to the patched version, It also addresses three other flaws.

An exploit for the flaw, CVE-2018-5002, is stealthily delivered in emailed Excel attachments using a novel technique designed to minimize the risk of detection by antivirus and frustrate forensic analysis.

The flaw was discovered by researchers at security firms Iceberg and Qihoo 360 Core Security, which have provided separate analyses of the techniques.

See: 17 tips for protecting Windows computers and Macs from ransomware (free PDF)

Instead of embedding malicious Flash content directly in the Office document, which might be detected by analyzing its code, the Excel file calls in the Flash exploit from a remote server.

Iceberg notes that the remote inclusion helps evade detection because the document doesn't contain any malicious code.

Remotely loading the malicious Flash object also allows the attacker to selectively serve exploits to targets based on IP address, or avoid non-targets based on a regional ISP, a cloud provider or by security product.

After opening the malicious Excel document, it will request a malicious Shock Wave Flash (SWF) file that is downloaded from an attacker-created domain.

The SWF file then requests encrypted data and decryption keys, which the attacker uses to open and run the Flash exploit.

Once the Flash vulnerability is triggered, the file requests malicious shell code from the remote server and executes it on the victim's machine, which delivers a trojan that probably establishes a backdoor on the machine.

Iceberg notes the combined use of remote inclusion and public-key cryptography to conceal the exploit makes it extremely difficult for responders to analyze an infection.

All data transmitted from the attacker's server to the target machine is shielded by a symmetric AES cipher, while the symmetric AES key is protected by an asymmetric RSA cipher.

"To decrypt the data payload, the client decrypts the encrypted AES key using its randomly generated private key, then decrypts the data payload with the decrypted AES key," wrote Iceberg's researchers.

"The extra layer of public key cryptography, with a randomly generated key, is crucial here. By using it, one must either recover the randomly generated key or crack the RSA encryption to analyze subsequent layers of the attack.

"If implemented correctly, this renders packet capture in forensic analysis and automated security products ineffective. Furthermore, the decrypted data payloads will only reside in memory, challenging traditional disk forensics and non-volatile artifact analysis."

According to CERT/CC analyst Will Dormann, Adobe's patch for CVE-2018-5002 introduces a new prompt that warns users of potential security risks before loading remote content. Although the prompt looks like an Office prompt, the warning only appears after applying Adobe's latest update, Dormann notes.

So, why use Office to deliver a Flash exploit? As Iceberg researchers note, while browsers such as Chrome block Flash, Office for now supports embedded Active X controls for Flash.

A similar technique was used in a zero-day Flash exploit -- also embedded in an Excel document -- that Adobe patched in February. That attack was attributed to North Korean hackers.

Microsoft's advisory for Adobe's latest update offers instructions for admins to prevent Flash Player from running in Office.

Qihoo 360 and Iceberg don't attribute the attack to any nation. However, Qihoo 360 researchers said, "All clues show this is a typical APT attack."

Both firms suspect the targets are based in Qatar because the domain name used by the attackers was 'people.dohabayt[.]com', which includes 'Doha', Qatar's capital. The domain is also similar to a legitimate Middle East recruitment website 'bayt[.]com'.

Additionally, the malicious Excel document was uploaded to Virus Total from an IP address in Qatar. And the Excel file's Arabic language contents suggest the targets include anyone who would be interested in salaries at an embassy with pay details for secretaries, ambassadors, and diplomats.


In this example, the Movie property specifies the remote location of the Flash object.

Image: Iceberg

Previous and related coverage

Adobe sends out second wave of security updates for critical vulnerabilities

A total of 47 vulnerabilities in Adobe Reader, Acrobat, and Photoshop CC have been tackled in the new security update.

Windows security: Microsoft issues Adobe patch to tackle Flash zero-day

Microsoft is protecting Windows users from a Flash Player flaw exploited by suspected North Korean hackers.

Adobe patches critical vulnerabilities in Flash, Creative Cloud

The most dangerous bugs can lead to remote code execution and unauthorized privilege escalation.

Microsoft releases patch to fix Adobe Flash zero day exploit in Windows (TechRepublic)

The out-of-band release protects against a flaw that delivers the ROKRAT remote administration tool.

Adobe Acrobat vulnerability can compromise you with just a click (CNET)

Pro tip: Never click on a PDF from an unknown source.

Editorial standards