Adobe's Flash Player has been the cause of security concerns over the past few years with lots of attackers targeting the particular software. A few months ago, Kaspersky Lab discovered a Flash vulnerability through Microsoft Word, and in February 2017, even Microsoft was forced to release a critical security update for Flash on Windows, separate from its Patch Tuesday schedule.
Now, another zero-day vulnerability has been discovered in the software, which allows Remote Code Execution (RCE) on various platforms. According to Adobe, it is already being utilized against Windows users on a limited scale.
The latest security issue has been discovered by South Korea's CERT and has been reported in detail by Cisco Systems' Talos group. According to the security researchers, the exploit is carried out by embedding a Flash SWF file in a Microsoft Excel document. In the limited number of attacks carried out using this vulnerability so far, opening this document allows the Flash object to download the ROKRAT payload from malicious websites, load it into the memory and execute it. ROKRAT is a Remote Administration Tool that is used in cloud platforms to procure documents.
According to Talos, a group named "Group 123" is the perpetrator of ROKRAT, but this is the first time that it has utilized a zero-day vulnerability. The security researchers go on to say that:
Group 123 have now joined some of the criminal elite with this latest payload of ROKRAT. They have used an Adobe Flash 0 day which was outside of their previous capabilities - they did use exploits in previous campaigns but never a net new exploit as they have done now. This change represents a major shift in Group 123s maturity level, we can now confidentially assess Group 123 has a highly skilled, highly motivated and highly sophisticated group. Whilst Talos do not have any victim information related to this campaign we suspect the victim has been a very specific and high value target. Utilizing a brand new exploit, previously not seen in the wild, displays they were very determined to ensure their attack worked.
In a security advisory, Adobe notes that the vulnerability, if exploited fully, can potentially allow an attacker to take control of a system completely. Details of affected platforms are as follows:
|Adobe Flash Player Desktop Runtime||
18.104.22.168 and earlier versions
|Adobe Flash Player for Google Chrome||22.214.171.124 and earlier versions||Windows, Macintosh, Linux and Chrome OS|
|Adobe Flash Player for Microsoft Edge and Internet Explorer 11||126.96.36.199 and earlier versions||Windows 10 and 8.1|
|Adobe Flash Player Desktop Runtime||188.8.131.52 and earlier versions||Linux|
Adobe says that it will release a patch for zero-day on February 5, and until then, it is recommended that administrators use the Protected View for Office, and change Flash Player's behavior on Internet Explorer on Windows 7 and below, such that it warns a user before playing an SWF file.