New Adobe Flash Zero-Day Spotted in the Wild

[Faybert]

BREAKING —South Korean authorities have issued a warning regarding a brand new Flash zero-day deployed in the wild.

According to a security alert issued by the South Korean Computer Emergency Response Team (KR-CERT), the zero-day affects Flash Player installs 28.0.0.137 and earlier.

"An attacker can persuade users to open Microsoft Office documents, web pages, spam e-mails, etc. that contain Flash files that distribute the malicious [Flash] code," KR-CERT said. The malicious code is believed to be a Flash SWF file embedded in MS Word documents.

Zero-day is the work of North Korean hackers
Simon Choi, a security researcher with Hauri Inc., a South Korean security firm, says the zero-day has been made and deployed by North Korean threat actors and used since mid-November 2017. Choi says attackers are trying to infect South Koreans researching North Korea.

View image on Twitter


The Agency is now recommending that users disable or uninstall Adobe Flash Player from their systems until Adobe issues a patch. The next Adobe Patch Tuesday is scheduled for February 13.

Adobe did not respond to a request for comment from Bleeping Computer in time for this article's publication.

Developing story. The article will be updated with more info as it becomes available.

 

[zzz00m]

I am feeling really good about running Firefox completely Flash-free as my primary browser! Never any Flash exploits to worry about, or the constant patches.

Most websites that I visit are fully supporting the HTML-5 standard now. In the rare event I ever need Flash, I fire up Chrome, but only for trusted websites!

 

[TairikuOkami]

I am always using beta version, it updates the current version without the need of uninstalling the previous one (beta). Currently 28.0.0.152.

https://labs.adobe.com/downloads/flashplayer.html

 

[Stas]

I'd like to see this Flash zero-day exploit tested with OSArmor.

 

[upnorth]

The South Korean Computer Emergency Response Team alert translated : Google Translate

The information supplied is extremely short-handed IMO.

 

[upnorth]

Security Advisory for Adobe Flash Player : Adobe Security Advisory

Quote : " A critical vulnerability (CVE-2018-4878) exists in Adobe Flash Player 28.0.0.137 and earlier versions. Successful exploitation could potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.

Adobe will address this vulnerability in a release planned for the week of February 5. "

 

[Deleted member 65228]

I'd like to see this Flash zero-day exploit tested with OSArmor.

It will likely be mitigated depending on the configuration as long as the exploit triggers process execution attempts and alike. If it executes malicious code literally within the address space of the MS Office processes (arbitrary remote code execution leveraged -> payload in-memory) without any additional processes being required (e.g. no CMD, no PowerShell, no bcdedit, etc. -> just straight up execute malicious code not dependent on such) then it will likely succeed without being mitigated.

Therefore it's not so much about the exploit being mitigated, it's about the payload being mitigated. The initial exploit isn't going to be mitigated based on how OSArmor works, however the actual payload likely will be because OSArmor intercepts process creation and can be super aggressive with targeted objects for malicious payloads which attackers using such exploits tend to take a liking to (like PowerShell, vssadmin for removing shadow copies, etc).

 

[shmu26]

It will likely be mitigated depending on the configuration as long as the exploit triggers process execution attempts and alike. If it executes malicious code literally within the address space of the MS Office processes (arbitrary remote code execution leveraged -> payload in-memory) without any additional processes being required (e.g. no CMD, no PowerShell, no bcdedit, etc. -> just straight up execute malicious code not dependent on such) then it will likely succeed without being mitigated.

Therefore it's not so much about the exploit being mitigated, it's about the payload being mitigated. The initial exploit isn't going to be mitigated based on how OSArmor works, however the actual payload likely will be because OSArmor intercepts process creation and can be super aggressive with targeted objects for malicious payloads which attackers using such exploits tend to take a liking to (like PowerShell, vssadmin for removing shadow copies, etc).

Did previous flash exploits have a preference for triggering process execution, or not necessarily? From what I remember, they liked to go for powershell, but I don't have extensive knowledge about it.

 

[Deleted member 65228]

Did previous flash exploits have a preference for triggering process execution, or not necessarily? From what I remember, they liked to go for powershell, but I don't have extensive knowledge about it.

I'm not entirely sure, but I just know that most exploitation leads to dependency on other resources for the payload. For example, ransomware trying to delete shadow copies tends to reply on vssadmin.exe (instead of the attacker reverse-engineering vsassadmin.exe to find out how it works internally and writing a custom wrapper to do the same thing in a stealthier way against interception), or just deploying a PowerShell payload.

Some exploits exploited in the wild are really deadly but 9 times out of 10 they are not used to their full potential luckily for us. I guess a majority of people exploiting vulnerabilities with malicious intent are in way over their head and probably didn't even find and exploit the vulnerability themselves.

And by "full potential" I am referring to the payload being executed due to exploitation. I mean using PowerShell which every vendor under the sun is interested in keeping an eye out for or trying to execute vssadmin.exe with parameters to indicate shadow copy removal isn't exactly "stealth" is it.

We all may as well disable features like PowerShell unless we REALLY need them. I can't believe PowerShell is coming to Linux though, it's the best way to increase the attack vector.

CMD, PowerShell, VBScript... I guess it is all commonly abused nowadays, has been for a long time now.

 

[Lightning_Brian]

Well all the more reason and 'fire power' for sys. admins to request removal of Adobe Flash Player if it is not needed nor critical for their systems to have.

I'm hoping people will learn to adopt more software that doesn't need Adobe Flash Player nor Java. I feel as though zero day exploits can really be avoided by avoiding a lot of add-ons that are not needed or not critical for systems. My company has removed Adobe Flash Player from all of our systems along with Java after I made my case with the Chief Information Officer (CIO) and Chief Security Officer (CSO). I'd encourage others to do the same thing. It didn't take long to show them the exploits that are out there and the damage that can be done before they agreed with me 150%.

Personal computer wise: I tell all of my clients that I help to never have Flash or Java installed. If it is a must for a tech. tool install it for as long as you need to use the tool (for a few hours or less) and take it off the machine. Not worth opening up potential security issues on a computer.

~Brian

 

[bribon77]

Well all the more reason and 'fire power' for sys. admins to request removal of Adobe Flash Player if it is not needed nor critical for their systems to have.

I'm hoping people will learn to adopt more software that doesn't need Adobe Flash Player nor Java. I feel as though zero day exploits can really be avoided by avoiding a lot of add-ons that are not needed or not critical for systems. My company has removed Adobe Flash Player from all of our systems along with Java after I made my case with the Chief Information Officer (CIO) and Chief Security Officer (CSO). I'd encourage others to do the same thing. It didn't take long to show them the exploits that are out there and the damage that can be done before they agreed with me 150%.

Personal computer wise: I tell all of my clients that I help to never have Flash or Java installed. If it is a must for a tech. tool install it for as long as you need to use the tool (for a few hours or less) and take it off the machine. Not worth opening up potential security issues on a computer.

~Brian

Very well done. I do not use neither Java nor Adobe Flash Player and I live Happy

 

[plat1098]

According to this article: An Adobe Flash 0day is being actively exploited in the wild, North Korea is not only a prime suspect, but South Korea is targeted with these weaponized Excel documents.

I couldn't help but recall a recent news series that spoke about North and South Korea joining forces in the upcoming Olympics: North and South Korean hockey players team up for Olympics. You're supposed to come together here without regard for politics and national hatreds. An interesting dilemma.

Edit to add: Yes, the concerns are already on the table. We'll see, I guess.

DHS issues hacking warning over Winter Olympics

 

[zzz00m]

Well all the more reason and 'fire power' for sys. admins to request removal of Adobe Flash Player if it is not needed nor critical for their systems to have.

I'm hoping people will learn to adopt more software that doesn't need Adobe Flash Player nor Java. I feel as though zero day exploits can really be avoided by avoiding a lot of add-ons that are not needed or not critical for systems. My company has removed Adobe Flash Player from all of our systems along with Java after I made my case with the Chief Information Officer (CIO) and Chief Security Officer (CSO). I'd encourage others to do the same thing. It didn't take long to show them the exploits that are out there and the damage that can be done before they agreed with me 150%.

Personal computer wise: I tell all of my clients that I help to never have Flash or Java installed. If it is a must for a tech. tool install it for as long as you need to use the tool (for a few hours or less) and take it off the machine. Not worth opening up potential security issues on a computer.

~Brian

Agree with this policy. And only use the plugins that you absolutely need, and keep them updated.

I would add that there is a difference between the Java web plugin, and the JRE (Java runtime environment). I have some software that requires the JRE to be available on the local system in order to run a local application written in Java. This is not web connected, or browser related in any way.

I always made sure to remove any browser plugins I may have received any time I updated Java. I think that Oracle has made an effort to stop distributing the browser plugin with the JRE and JDK (Java development kit). It should be deprecated in the current version 9 and removed in future releases. Oracle to Kill Java Browser Plugin | SecurityWeek.Com
JDK 9 and the Java Plugin

As far as I know, there is no greater risk to executing Java code locally that you have with executing any other code locally. Always run only signed and trusted code on your machine. That was the biggest risk with the browser running Java applets in the plugin, you never knew what you would encounter online!

 

[plat1098]

More information on this flash vulnerability:

Flash Zero-Day Attacks Analyzed by FireEye, Cisco | SecurityWeek.Com

 

[Deleted member 65228]

More information on this flash vulnerability:

Flash Zero-Day Attacks Analyzed by FireEye, Cisco | SecurityWeek.Com

Thanks

My advice is to literally just not use Flash.

I disable it if I am using a browser with it enabled/require click-to-play and don't install it standalone - HTML5 is really good and it's a great replacement for Adobe Flash anyway.

Adobe Flash has had vulnerabilities flying out it's bottom since I was a toddler being taught to use a baby potty... Nothing has changed. Same old Adobe Flash with its usual tricks surprising us all in how many vulnerabilities it can really have.

Nothing is full-proof but on the serious side it's a huge target... Best avoid it. My advice is to use things which are responsible/secure but lesser-known/not as big as a target, and keep switching when things change.

E.g.:
Microsoft Office -> Google Docs
Adobe Flash -> HTML5
Java -> Who cares it's Java no need for a replacement (joke)

Eventually it will be:
Google Docs -> ?
HTML5 -> ?

And it will keep changing as attacks/security evolves

 

[Deleted member 65228]

My company has removed Adobe Flash Player from all of our systems along with Java after I made my case with the Chief Information Officer (CIO) and Chief Security Officer (CSO).

I've only just read this, looks like you are thinking what I am thinking... I mentioned Java in my above post just now. Looks like we have great minds and they are alike (it's a pleasure to know I have a great mind because if I have the same thought as you then it must be this )

You did a good thing talking to them and getting them to make the changes, you've also made them more secure. For all you know, your actions could have stopped a future attack. Pat yourself on the back my friend, not many people would waste their time to offer suggestions like that to a companies admins (they just won't care to do so even if they know about the topic)

 

[upnorth]

Update now to the latest version 28.0.0.161

Adobe - Flash Player

 

[TairikuOkami]

I have added this to my tweaks to cripple Windows flash. It prevents it from being run, but it can be updated. After update, it has to be run it again, unless you remove Trusted Installer as well, then it can not be never updated or run. The same goes for the other versions or you can take permissions from the whole Flash folders.

takeown /f "%SystemRoot%\System32\Macromed\Flash\FlashUtil_ActiveX.exe" /a
icacls "%SystemRoot%\System32\Macromed\Flash\FlashUtil_ActiveX.exe" /inheritance:r /remove "Administrators" "Authenticated Users" "Users" "System"
takeown /f "%SystemRoot%\SysWow64\Macromed\Flash\FlashUtil_ActiveX.exe" /a
icacls "%SystemRoot%\SysWow64\Macromed\Flash\FlashUtil_ActiveX.exe" /inheritance:r /remove "Administrators" "Authenticated Users" "Users" "System"

 

[Lightning_Brian]

I've only just read this, looks like you are thinking what I am thinking... I mentioned Java in my above post just now. Looks like we have great minds and they are alike (it's a pleasure to know I have a great mind because if I have the same thought as you then it must be this )

You did a good thing talking to them and getting them to make the changes, you've also made them more secure. For all you know, your actions could have stopped a future attack. Pat yourself on the back my friend, not many people would waste their time to offer suggestions like that to a companies admins (they just won't care to do so even if they know about the topic)

@Opcode Thank you for the nice complements! Great minds do think alike!

Eliminating Adobe Flash Player and Java from off of all the machines doesn't take very long and increases security tremendously. Like you mentioned this could have stopped many future attacks from ever occurring. Once I showed them a few small exploits that can easily happen it didn't take long for them to agree for me to remove it off all of our machines.

I advised all of our techs who have software that requires Java to only install the latest version of Java (or the version that is supported for the particular software in question) just long enough to do their jobs with the computer in question. From there I told them to take it off the machine. My techs. thought I was nuts at first, but then really realized the power of this and listened quite fast once I showed them just a few exploits out in the wild. Some companies may look at my company thinking we are paranoid, but once they were hit by something they'd wish they implemented everything we did. After speaking at a security conference in my local community those who came to the conference sent me a lot of messages thanking me for giving them the ammunition they needed to make sure their company doesn't fall victim to some of the latest threats in the IT world.

I'll say this: people call me "paranoid", but I say I'm just really conscious and cautious about anything I implement for security reasons. Others claim that I "lock things down a bit too much", but then come to me to thank me later when something I mentioned to them pans out and saves them big time. Eliminating Flash and Java flat out can save people big time for a lot of threats - not all, but a good chunk. Couple this with some good end-user training and your workforce will be much more secure.

@Opcode thanks gain for the nice complements. I enjoy reading your posts too. I believe we think a lot alike when it comes to security.

~Brian