Flash Update Fixes Zero-Day Flaw Used in Targeted Attack
Adobe Systems released a security update for Flash Player to fix four vulnerabilities, including one that was discovered in an attack targeting individuals and organizations from the Middle East.
Two of the patched vulnerabilities, CVE-2018-4945 and CVE-2018-5002, are rated critical and can lead to arbitrary code execution. The other two, CVE-2018-5000 and CVE-2018-5001, are rated important and can lead to information disclosure.
Adobe advises users to upgrade to Flash Player 30.0.0.113 as soon as possible. The Flash Player plug-in bundled with Google Chrome, Microsoft Edge and Internet Explorer will be upgraded through those browsers’ respective update mechanisms.
The most urgent vulnerability is CVE-2018-5002 because it is already exploited in the wild. Security firm Icebrg, one of the companies that found the CVE-2018-5002 zero-day exploit and reported it to Adobe, claims that it was used in an attack in the Middle East and probably targeted individuals in Qatar.
The attackers did not deliver the Flash Player exploit through a website but through Microsoft Office documents. One malicious document claimed to contain information about salary adjustments for secretaries, ambassadors and diplomats in Qatar.
“The attack loads Adobe Flash Player from within Microsoft Office, which is a popular approach to Flash exploitation since Flash is disabled in many browsers,” the Icebrg researchers said in a blog post.
However, instead of directly embedding the entire exploit in the document, as attackers have done in the past, in this case the hackers used a trick to load the malicious SWF (Flash) content from a remote server. This stealthy technique allows them to evade detection and be more selective in their targeting.
“The document by itself does not contain any malicious code,” the Icebrg researchers said. “Statically, the best one can do is detect the presence of remotely included Flash content. Dynamically, the sandbox/simulator must interact with the attacker’s server and receive malicious content, necessitating that the analysis system has a live connection to the Internet.”
“Further, the attacker may selectively serve the next stage based upon the requesting IP address or HTTP headers (indicating a specific targeted environment),” the researchers added. “Once access is established, the attacker may decommission their server and subsequent analysis of the attack must rely on leftover forensic artifacts.”
Microsoft is aware of the security risks and the abuse potential of embedding Flash content in Microsoft Office documents, which is why it plans to disable this functionality in future builds of Microsoft Office 2016 for Office 365 customers. Silverlight and Shockwave controls will be blocked as well.
Foscam IP Camera Owners Should Update Their Firmware
Foscam, the manufacturer of a wide range of video surveillance products, including IP cameras and NVRs, is advising all users to upgrade the firmware of their devices to the latest version.
The company has released new firmware for many camera models to address several vulnerabilities that could allow attackers to take over devices remotely.
“The latest firmware for Foscam cameras utilizes protection against various types of online hacking and unauthorized access,” the company said in an advisory. “There are no known vulnerabilities with any of our cameras once updated with the latest firmware as outlined below.”
Foscam’s firmware updates came in response to a report from IoT security firm VDOO, whose researchers found three vulnerabilities (CVE-2018-6830, CVE-2018-6831 and CVE-2018-6832) affecting many Foscam camera models.
“Combining the discovered vulnerabilities, if an adversary successfully obtains the address of the camera, he can gain root access to the affected cameras remotely (over LAN or the internet),” the VDOO researchers said in a blog post that detailed technical information about the flaws.
The VDOO report contains a table of affected camera models, as well as instructions on how to check if a camera is vulnerable. To the company’s knowledge, the three vulnerabilities haven’t been exploited in the wild until now, but given how many IoT botnets are currently competing for devices, they might soon be.
