Adobe Flash Player Use After Free Vulnerability: APSB18-42

A publicly exploited use after free vulnerability leading to arbitrary code execution was discovered in the Adobe Flash Player. Adobe has addressed this vulnerability in APSB18-42, by releasing the latest version – 32.0.0.101. An additional insecure library loading vulnerability, which leads with privilege escalation via DLL hijacking attacks was also remediated via this update. MITRE has assigned CVE-2018-15982 & CVE-2018-15983 respectively for both these vulnerabilities. Correspondingly, Microsoft has also released ADV180031 to address the two vulnerabilities.

Exploited in the Wild:
CVE-2018-15982 has already been weaponized and found in APT campaigns, targeting certain Russian individuals. It is being exploited via crafted Flash objects that are embedded in a Microsoft Office document and delivered via a spear-phishing email attack. The document is disguised as a questionnaire from a Moscow based clinic and may use social engineering attacks to entice an user into executing the embedded crafter Adobe Flash content. If successful, an implanted binary within a .rar file is extracted and executed. This extracted binary is a backdoor masquerading NVIDIA Control Panel application that utilizes a stolen, revoked digital certificate.

Mitigation:
We request organizations to apply the latest patches provided by Adobe and Microsoft. Additionally, organizations can scan their environment with the following Qualys QIDs to detect the vulnerabilities described as CVE-2018-15982 & CVE-2018-15983: