In a security alert posted on its website on January 31, The South Korean Computer Emergency Response Team (KR-CERT) warned of a zero-day vulnerability in Adobe Flash player that could be maliciously exploited. The vulnerability, CVE-2018-4878, is a critical remote code execution flaw that could be exploited by convincing or luring a user to open Microsoft Office documents, web pages, or spam mails containing a Flash file (Detected by Trend Micro as SWF_EXPLOYT.BL). Adobe has released an update addressing this vulnerability, which can be found on theirsecurity updates page.
While the vulnerability itself is not unusual in terms of how it’s exploited, what is particularly noteworthy is that it is already being used for malicious means. Security researcher Simon Choi tweeted on February 2, 2018 that the vulnerability was being used by North Korean hackers to attack South Korean targets researching North Korean topics. According to Choi, these attacks have been on-going since November 2017.
Adobe has already acknowledged the existence of the vulnerability in a bulletin (APSA18-01) posted on their website. According to the text, the company is already aware of reports of the CVE-2018-4878 exploits, as well as its use in limited, targeted attacks against Windows users.
The affected product versions include 18.104.22.168 and earlier versions of the following:
Adobe Flash Player Desktop Runtime (Win/Mac)
Adobe Flash Player for Google Chrome (Win/Mac/Linux/Chrome OS),
Adobe Flash Player for Microsoft Edge and Internet Explorer 11 (Win 10 & 8.1)
Adobe Flash Player Desktop Runtime (Linux).
Mitigating Software Vulnerabilities
KR-CERT provide good recommendations for minimizing the risk of being targeted by cybercriminals looking to exploit CVE-2018-4878. In addition to removing Flash Player while waiting for official updates, they also recommend implementing Protected View on Microsoft Office programs, allowing it to set potentially unsafe files as read-only.
Exploiting vulnerabilities is one of the most common attack methods cybercriminals use to target their victims. The WannaCry outbreak in May 2017, perhaps the most notorious malware attack of the last few years, resulted from exploiting the EternalBlue vulnerability. To address these vulnerabilities, companies will often release security updates or patches within a short amount of time. However, unless these updates are automated, it is up to the users to apply them to their systems and devices. Thus, users are highly encouraged to keep both their hardware and software updated to the latest versions. For larger organizations, however, patching can be difficult and time consuming, often due to a lack of resources or software incompatibility – leading to a delay or “lag” in patching. For situations such as this, virtual patching can help bridge the gap between the vulnerable unpatched periods and the actual implementation of updates.
Given the use of spam and lure documents as part of malware infection routines, users should also be aware of the different phishing and social engineering techniques cybercriminals use in their attacks. Suspicious links and attachments are red flags that the incoming message is malicious in nature.
Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen™ protects against today’s purpose-built threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).