A Adobe lançou atualizações de segurança para o Flash Player que abordam quatro vulnerabilidades, incluindo um problema crítico (CVE-2018-5002) que foi explorado em ataques dirigidos principalmente a entidades no Médio Oriente.
A vulnerabilidade do CVE-2018-5002, endereçada por investigadores do ICEBRG, Qihoo 360 e Tencent, é respeitante a um stack-based buffer overflow e que pode ser explorado remotamente permitindo a execução arbitrária de código por parte dos atacantes.
“Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address critical vulnerabilities in Adobe Flash Player 29.0.0.171 and earlier versions. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the security advisory published by Adobe.
“Adobe is aware of a report that an exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash Player content distributed via email.”
O investigador não divulgou detalhes técnicos da vulnerabilidade, mas a Adobe confirmou que o dia zero foi explorado em ataques direcionados a utilizadores do Windows.
Os atacantes lançaram estes ataques através de spear phishing e utilizando mensagens maliciosas em documentos do Office (um doc do Excel chamado “salary.xlsx) que contém conteúdo Flash especialmente criado para este fim.
“The hackers carefully constructed an Office document that remotely loaded Flash vulnerability. When the document was opened, all the exploit code and malicious payload were delivered through remote servers. This attack mainly targets the Middle East.” reads the analysis published by Qihoo 360.
A nova versão do Flash Player 30.0.0.113 também aborda as seguintes vulnerabilidades:
- CVE-2018-4945 – a critical type confusion vulnerability that can lead to code execution, it was reported by researchers at Tencent.
- CVE-2018-5000 – an “important” severity integer overflow that can lead to information disclosure, it was reported anonymously through Trend Micro’s Zero Day Initiative (ZDI).
- CVE-2018-5001 – an “important” out-of-bounds read flaw that can lead to information disclosure, it was reported anonymously through Trend Micro’s Zero Day Initiative (ZDI).
Este é o segundo dia zero descoberto em 2018, o primeiro dia zero da Adobe, identificado como CVE-2018-4878, foi corrigido em fevereiro depois de ser explorado por hackers ligados à Coréia do Norte em ataques contra a Coréia do Sul.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.