Adobe patches Flash 0day used by nation-state hackers

Users of Adobe's Flash media player are being advised to apply urgent patches after a new vulnerability emerged that is being exploited by hackers to run arbitrary code on users' machines.

The flaw has been given the Common Vulnerabilities and Exposures index of CVE-2018-5002, and was discovered by Chinese internet services provider Tencent's security arm, Qihoo 360.

Qihoo 360 said its advanced threat response team noticed the attack being deployed on a global scale on June 1 this year, with hackers sending out booby-trapped Microsoft Office Excel spreadsheets.

In a multi-stage attack, the spreadsheet attachments were constructed to first load code from remote servers to be returned as an Adobe Shockwave (SWF) file.

After the SWF file executed on targets' machines, the malicious code fetched a further encrypted file containing the CVE-2018-5002 vulnerability from a command and control server, along with decryption keys.

The keys are used to decrypt the second file, and to execute code to exploit the vulnerability.

Once user machines had been compromised through the Flash 0day, attackers were able to run any code they liked with the privileges of a logged-in user.

Qihoo 360 said the attacks were focused on the Middle East, with the Excel spreadsheet file name being in Arabic.

The command and control server appears to be a compromised computer used for staff recruitment in the Miidle East, Qihoo 360 said.

Since the link to the C&C server contains "doha" and when directly accessed redirects to a Qatari company's staff introduction home page, Qihoo 360 suspects the attackers targetted users in the Persian/Arabian Gulf nation.

The domain name used was registered in February this year, indicating that attackers had started preparing for the attack months ago.

"All clues show this is a typical APT [advanced persistent threat] attack," the security vendor said.

Adobe said versions 29.0.0.171 and earlier of the Flash Player desktop runtime on Windows, macOS and Linux are affected, as are the built-in equivalent for Microsoft's Edge and Internet Explorer 11, and Google's Chrome web browsers.

Users should update to Adobe Flash Player version 30.0.113 which is patched against the vulnerability.

The Edge, Internet Explorer 11 and Chrome web browsers will be automatically updated with patched versions of Adobe Flash Player. Users should close and restart their browsers.

On top of patching the CVE-2018-5002 flaw, which Adobe said is a stack-based buffer overflow bug, the security updates handles another critical type confusion vulnerability, CVE-2018-4945 that can be exploited for arbitrary code execution.