Adobe released patches today for a new zero-day vulnerability discovered in the company’s popular Flash Player app. The zero-day has been spotted embedded inside malicious Microsoft Office documents.
These documents were discovered last month after they’ve been uploaded on VirusTotal, a web-based file scanning service, from a Ukrainian IP address.
According to reports from Gigamon (formerly ICEBRG) and Chinese cyber-security firm Qihoo 360 Core Security, the two companies which spotted the documents, the zero-day was embedded as a Flash Active X object inside a Word document designed to look like a seven-page employment application for a Russian state healthcare clinic.
If victims who received the documents allowed the Flash Active X object to execute, researchers said the malicious code would escalate its access from the Office app to the underlying OS. Here it would drop a JPG file, then unzip another RAR file attached at the end of this JPG file to drop an EXE file on the victim’s PC, and then run this file (a basic barebones backdoor trojan). Researchers said this zero-day was capable of running on both 32-bit and 64-bit architectures.
Qihoo 360 also pointed out that the malicious documents containing this zero-day were uploaded on VirusTotal just days after the now-infamous Kerch Strait incident between Russia and Ukraine.
However, the Chinese researchers didn’t go on the record to formally attribute the zero-day to Russian state hackers –known to use Flash zero-days in the past, and known for their repeated attacks on Ukraine ever since the two countries have entered into an unofficial conflict in 2014– or to Ukrainian officials.
It is unclear if the Flash zero-day was used in live attacks, and the documents were uploaded on VirusTotal by victims, or if the zero-day was still under development, and the documents uploaded by their creator using a Ukrainian VPN.
Both Gigamon and Qihoo 360 pointed out that the zero-day’s code had similarities with the zero-day exploits created by Italian spyware vendor HackingTeam, which was hacked and had its tools leaked online in 2015.
Adobe has assigned the CVE-2018-15982 identifier to this recent zero-day. Today’s Flash security updates also included a fix for another for another security bug, CVE-2018-15983, privilege escalation issue caused by Flash Player app loading DLL files in an insecure manner.
Adobe’s normal Patch Tuesday was scheduled for next week. The company is still expected to release security fixes for other products, as expected, on December 11.