Adobe Systems has confirmed that attackers are in possession of an exploit for a critical zero-day vulnerability in Flash Player that will be patched over the coming days.
News of the flaw first came Jan. 31 in an alert from the South Korean Computer Emergency Response Team (KR-CERT), but researchers from security firm Hauri believe the exploit has been used since November.
“They attacked South Koreans who mainly do research on North Korea,” Simon Choi, director of the security research center at Hauri, said on Twitter.
Researchers from South Korean security firm ESTsecurity said the exploit was used as part of a larger phishing campaign that started in mid-2017 through Korean social networks and messaging services.
The campaign was directed at people engaged in North Korean research but initially focused on Android users by distributing malicious applications (APKs). More recently, the attacks moved to PCs through an instant messaging service popular in the country.
The Flash Player zero-day exploit was embedded in a Microsoft Excel file and was executed through an ActiveX control, the ESTsecurity said in a blog post.
Adobe has confirmed the vulnerability and assigned it the CVE-2018-4878 identifier. It is a use-after-free memory issue that allows remote code execution. The company plans to release a Flash Player update with a fix sometime next week.
“Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users,” Adobe said in an advisory. “These attacks leverage Office documents with embedded malicious Flash content distributed via email.”
In Internet Explorer on Windows 7, where exploiting Flash Player vulnerabilities could be easier, system administrators can change the program’s behavior so that Flash content requires user confirmation before execution. Adobe also recommends that administrators turn on the Protected View mode in Microsoft Office, which forces potentially unsafe files to be opened in read-only mode, preventing automated execution of code.
Critical Flaw Patched in Web Server Used by Many Industrial Control Systems
The CODESYS web server used in industrial control systems from multiple vendors has a critical vulnerability that could be exploited remotely to compromise systems.
“A crafted web server request may cause a buffer overflow and could therefore execute arbitrary code on the web server or lead to a denial-of-service condition due to a crash in the web server,” 3S-Smart Software Solutions, the German company that makes the CODESYS runtime, warned in a security advisory.
The vulnerability has a score of 9.8 on the CVSS severity scale, out of a maximum of 10, and affects CODESYS V2.3 web servers running standalone or as part of the CODESYS runtime.
Administrators of ICS equipment that use CODESYS should make sure they install and run version 220.127.116.11 of the web server component. There is no workaround for the flaw and 3S-Smart notes that it can be exploited by attackers with low skills.
As a general security mitigation strategy, the company recommends using controllers and devices in protected environments with minimal network exposure; ensuring those devices are not accessible from the outside or using VPN tunnels for remote access; separating the control system network from other networks using firewalls; and protecting both the development and control systems from unauthorized access.
Unfortunately, ICS operators are generally more interested in ease of use rather than security. According to a report released recently by security firm Positive Technologies, there are 175,632 ICS components accessible online, with 64,287 in the United States. alone. The protocol most frequently found in those devices was HTTP (66,587).