Flash Update Fixes Zero-Day Flaw Used in Targeted Attack

Adobe Systems released a security update for Flash Player to fix four vulnerabilities, including one that was discovered in an attack targeting individuals and organizations from the Middle East.

Two of the patched vulnerabilities, CVE-2018-4945 and CVE-2018-5002, are rated critical and can lead to arbitrary code execution. The other two, CVE-2018-5000 and CVE-2018-5001, are rated important and can lead to information disclosure.

Adobe advises users to upgrade to Flash Player as soon as possible. The Flash Player plug-in bundled with Google Chrome, Microsoft Edge and Internet Explorer will be upgraded through those browsers’ respective update mechanisms.

The most urgent vulnerability is CVE-2018-5002 because it is already exploited in the wild. Security firm Icebrg, one of the companies that found the CVE-2018-5002 zero-day exploit and reported it to Adobe, claims that it was used in an attack in the Middle East and probably targeted individuals in Qatar.

The attackers did not deliver the Flash Player exploit through a website but through Microsoft Office documents. One malicious document claimed to contain information about salary adjustments for secretaries, ambassadors and diplomats in Qatar.

“The attack loads Adobe Flash Player from within Microsoft Office, which is a popular approach to Flash exploitation since Flash is disabled in many browsers,” the Icebrg researchers said in a blog post.

However, instead of directly embedding the entire exploit in the document, as attackers have done in the past, in this case the hackers used a trick to load the malicious SWF (Flash) content from a remote server. This stealthy technique allows them to evade detection and be more selective in their targeting.

“The document by itself does not contain any malicious code,” the Icebrg researchers said. “Statically, the best one can do is detect the presence of remotely included Flash content. Dynamically, the sandbox/simulator must interact with the attacker’s server and receive malicious content, necessitating that the analysis system has a live connection to the Internet.”

“Further, the attacker may selectively serve the next stage based upon the requesting IP address or HTTP headers (indicating a specific targeted environment),” the researchers added. “Once access is established, the attacker may decommission their server and subsequent analysis of the attack must rely on leftover forensic artifacts.”

Microsoft is aware of the security risks and the abuse potential of embedding Flash content in Microsoft Office documents, which is why it plans to disable this functionality in future builds of Microsoft Office 2016 for Office 365 customers. Silverlight and Shockwave controls will be blocked as well.

Foscam IP Camera Owners Should Update Their Firmware

Foscam, the manufacturer of a wide range of video surveillance products, including IP cameras and NVRs, is advising all users to upgrade the firmware of their devices to the latest version.

The company has released new firmware for many camera models to address several vulnerabilities that could allow attackers to take over devices remotely.

“The latest firmware for Foscam cameras utilizes protection against various types of online hacking and unauthorized access,” the company said in an advisory. “There are no known vulnerabilities with any of our cameras once updated with the latest firmware as outlined below.”

Foscam’s firmware updates came in response to a report from IoT security firm VDOO, whose researchers found three vulnerabilities (CVE-2018-6830, CVE-2018-6831 and CVE-2018-6832) affecting many Foscam camera models.

“Combining the discovered vulnerabilities, if an adversary successfully obtains the address of the camera, he can gain root access to the affected cameras remotely (over LAN or the internet),” the VDOO researchers said in a blog post that detailed technical information about the flaws.

The VDOO report contains a table of affected camera models, as well as instructions on how to check if a camera is vulnerable. To the company’s knowledge, the three vulnerabilities haven’t been exploited in the wild until now, but given how many IoT botnets are currently competing for devices, they might soon be.

Featured eBook
A Simple Guide to Successful Penetration Testing

A Simple Guide to Successful Penetration Testing

How effective are your existing security controls against a skilled adversary? Discover the answer with penetration testing. The main difference between a penetration test and an attacker is permission. A hacker won’t ask for permission when trying to expose your critical systems and assets, so pen test to protect. A pen test is not just ... Read More
Core Security

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin