A stack overflow vulnerability was discovered in the Adobe’s Flash Player.
CVE-2018-5002 has been assigned to track this vulnerability. The issue occurs due to improper execution of try-catch statement with a static initializer. It affects Adobe Flash Player 29.0.0.171 and earlier versions. Adobe has addressed this issue in APSB18-19 by releasing version 30.0.0.113. Microsoft has released ADV180014 to address CVE-2018-5002 and others.
In the Wild Attacks
CVE-2018-5002 is being exploited by attackers via malicious MS Office document. The attacks have been mainly observed in the middle-east. Currently the vulnerability is being targeted via an MS Excel sheet. Upon opening the document the embedded ActiveX control will download a SWF file from a remote CnC server and execute it. The SWF file will further download decryption keys and data from the remote server to decrypt a second SWF file that will exploit the flash vulnerability. If successfully exploited the target will download malicious shell-code and execute it. The purpose of the shell code is to download further malware to facilitate a back door for the attacker.
Mitigation
We request organizations to apply the latest patches provided by Adobe and Microsoft. Qualys is aware of the issue and will add the necessary detection as soon as possible. If immediate patching is not possible please disable instantiation of Adobe Flash Player in Internet Explorer,MS Office etc. Please refer to ADV180014 for more mitigation/workarounds suggested by Microsoft.
Update: Qualys QIDs for detecting CVE-2018-5002
QID | Decription |
236845 | Red Hat Update for flash-plugin (RHSA-2018:1827) |
100338 | Microsoft Windows Adobe Flash Player Security Update for June 2018 (ADV180014) |
370996 | Adobe Flash Player Multiple Security Vulnerabilities (APSB18-19) |
Please continue to follow Qualys Threat Protect for information on this vulnerability.
References
Analysis of the Second Wave of Flash Zero-day Exploit in 2018
Security updates available for Flash Player | APSB18-19
ADOBE FLASH ZERO-DAY LEVERAGED FOR TARGETED ATTACK IN MIDDLE EAST
ADV180014 | June 2018 Adobe Flash Security Update
CVE-2018-5002
where is the QID for this?
If you search the KnowledgeBase for CVE-2018-5002, you’ll find these:
370996 Adobe Flash Player Multiple Security Vulnerabilities (APSB18-19)
100338 Microsoft Windows Adobe Flash Player Security Update for June 2018 (ADV180014)
236845 Red Hat Update for flash-plugin (RHSA-2018:1827)
The article has been updated with a list QIDs to detect CVE-2018-5002.