Adobe‘s Flash Player is hit with another zero-day vulnerability that could allow Remote Code Execution (RCE) on various platforms. What makes it worse is that the loophole is already being exploited against Windows users, albeit on a limited scale.
The vulnerability has been discovered by South Korea’s CERT. Security researchers explain that the exploit is carried out by embedding a Flash SWF file in a Microsoft Excel document. According to Neowin, in the limited number of attacks carried out using this loophole, once you open the document, it allows the Flash object to download the ROKRAT payload from malicious websites. The payload is a RAT (Remote Administration Tool) that is used in cloud platforms to procure documents.
Upon download of ROKRAT, the attack loads it the memory and executes it. It has been found that a group of malicious hackers named ‘Group 123’ is behind ROKRAT. However, it is the first time that the tool utilized a zero-day vulnerability.
Security researchers further revealed that Group 123 has joined other criminal elite with the latest payload of ROKRAT, leveraging Adobe Flash 0 day which was outside of their previous capabilities. The new exploit suggests the group has matured into a highly sophisticated, and skilled one.
In its official support forum, Adobe has acknowledged the issue and said that the vulnerability (CVE-2018-4878), “exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.”
It is unclear as to how many people have fallen victim to the latest exploit, but as a security advisory, Adobe warns that the vulnerability, if exploited fully, can potentially allow an attacker to take control of a system completely. The platforms which stand affected by the new zero-day bug include Adobe Flash Player for Desktop Runtime, Google Chrome, Microsoft Edge, Internet Explorer 11 across Windows, Macintosh, Linux, and Chrome OS.
The company announced that it will address the vulnerability in a release planned for the week of February 5. It has further asked users to monitor the Adobe Product Security Incident Response Team for any update. It is recommended that system administrators use the Protected View for Office, and change Flash Player’s behavior on Internet Explorer on Windows 7 and below, such that it warns a user before playing an SWF file.
It is worth mentioning that Adobe is killing Flash in a few years. The company is officially going to stop updating and distributing its Flash Player by the end of 2020. The announcement, made last year, is to allow content creators to migrate their existing Flash content to open formats.