So another 0-Day Flash Vulnerability is being exploited in the Wild, a previously unknown flaw which has been labelled CVE-2018-4878 and it affects 220.127.116.11 and earlier versions for both Windows and Mac (the desktop runtime) and for basically everything in the Chrome Flash Player (Windows, Mac, Linux and Chrome OS).
The full Adobe Security Advisory can be found here:
Adobe warned on Thursday that attackers are exploiting a previously unknown security hole in its Flash Player software to break into Microsoft Windows computers. Adobe said it plans to issue a fix for the flaw in the next few days, but now might be a good time to check your exposure to this still-ubiquitous program and harden your defenses.
Adobe said a critical vulnerability (CVE-2018-4878) exists in Adobe Flash Player 18.104.22.168 and earlier versions. Successful exploitation could allow an attacker to take control of the affected system.
The software company warns that an exploit for the flaw is being used in the wild, and that so far the attacks leverage Microsoft Office documents with embedded malicious Flash content. Adobe said it plans to address this vulnerability in a release planned for the week of February 5.
According to Adobe’s advisory, beginning with Flash Player 27, administrators have the ability to change Flash Player’s behavior when running on Internet Explorer on Windows 7 and below by prompting the user before playing Flash content. A guide on how to do that is here (PDF). Administrators may also consider implementing Protected View for Office. Protected View opens a file marked as potentially unsafe in Read-only mode.
The wild usage of the exploit seems to be in the Korean context with North Korean hackers using it against South Korean targets and apparently they have been using it since November 2017.
It’s a fairly complex attack chain so I’m surprised if it’s a very reliable exploit as it targets Flash content embedded in Microsoft Office documents.
Hopefully, most readers here have taken my longstanding advice to disable or at least hobble Flash, a buggy and insecure component that nonetheless ships by default with Google Chrome and Internet Explorer. More on that approach (as well as slightly less radical solutions) can be found in A Month Without Adobe Flash Player. The short version is that you can probably get by without Flash installed and not miss it at all.
For readers still unwilling to cut the Flash cord, there are half-measures that work almost as well. Fortunately, disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.
By default, Mozilla Firefox on Windows computers with Flash installed runs Flash in a “protected mode,” which prompts the user to decide if they want to enable the plugin before Flash content runs on a Web site.
Another, perhaps less elegant, alternative to wholesale kicking Flash to the curb is to keeping it installed in a browser that you don’t normally use, and then only using that browser on sites that require Flash.
Most browsers of the current generation have either no Flash support at all, or make it “ask-first” when Flash content attempts to display. I would hazard a guess that this is why the attackers chose to target Flash embedded in Microsoft Office documents as it’s such ubiquitous software and not so regularly updated or patched by individuals or organsations.
It’s not the first Flash zero-day and it won’t be the last, we’ve reported on a few before, I think the impact should get less and less as more sites phase out Flash and move to native HTML5.