Adobe has patched two critical and two important vulnerabilities in its Flash Player on Thursday, including one that is being exploited in the wild in targeted attacks against Windows users.
The critical vulnerability with an existing exploit (CVE-2018-5002) is a stack-based buffer overflow bug that could enable arbitrary code execution, according to Adobe. The attacks are leveraging Office documents, according to Adobe.
“Adobe is aware of a report that an exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users,” the company said in a release, Thursday. “These attacks leverage Office documents with embedded malicious Flash Player content distributed via email.”
Microsoft did not respond to a request for comment from Threatpost by publication.
Allan Liska, threat intelligence analyst at Recorded Future, told Threatpost the vuln is being currently exploited as part of several phishing campaigns.
“The exploit takes advantage of a Flash file embedded in a Microsoft Office document, when the victim opens the Office Document the trojaned Flash code automatically runs and executes shell code which calls out to the attackers command and control servers,” Liska told Threatpost.
Impacted versions include Adobe Flash Player Desktop Runtime (188.8.131.52 and earlier versions) on Windows, MacOS and Linux; Adobe Flash Player for Google Chrome (184.108.40.206 and earlier versions) for Windows, macOS, Linux and Chrome OSl and Adobe Flash Player for Microsoft Edge and Internet Explorer 11 (220.127.116.11 and earlier versions) for Windows 10 and 8.1.
The updates for all platforms had a priority rating of two out of three, meaning there are no exploits; but the Adobe Flash Player Desktop Runtime platform for Linux was rated priority three out of three.
According to Adobe’s priority rating description, this priority rating means “update resolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.”
According to Adobe, CVE-2018-5002 was discovered by researchers from an array of organizations, including individuals from ICEBRG; 360 Threat Intelligence Center of 360 Enterprise Security Group; and Qihoo 360 Core Security.
The company issued a patch for another critical vulnerability (CVE-2018-4945) that enables arbitrary code execution. The bug was discovered by Jihui Lu of Tencent KeenLab and willJ of Tencent PC Manager, working with Trend Micro’s Zero Day Initiative.
Adobe also issued patches for two “important” vulnerabilities that could both lead to information disclosure, including one (CVE-2018-5000) Integer Overflow bug and an Out-of-bounds read glitch (CVE-2018-5001).
Adobe recommended that all impacted versions update immediately to versions 18.104.22.168 via their update mechanism within the product or by visiting the Adobe Flash Player Download Center.
Meanwhile, Adobe Flash Player with Google Chrome, Microsoft Edge, and IE 11 for Windows 10 and 8.1 “will be automatically downloaded to the latest version,” the company said.
Adobe has doled out its fair share of patches over the past few months – just weeks ago the company posted patches for a slew of critical vulnerabilities, which have a higher risk of being exploited. Earlier in May, Adobe released patches for five critical and important vulnerabilities spanning Creative Cloud, Adobe Flash Player and web conferencing software tool Adobe Connect.