Home
%3CLINGO-SUB%20id%3D%22lingo-sub-152733%22%20slang%3D%22en-US%22%3EZero-day%20exploit%20for%20Flash%20vulnerability%20CVE-2018-4878%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-152733%22%20slang%3D%22en-US%22%3E%3CP%3EOn%20February%201%2C%202018%2C%20the%20%3CA%20href%3D%22https%3A%2F%2Fwww.krcert.or.kr%2Fdata%2FsecNoticeView.do%3Fbulletin_writing_sequence%3D26998%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EKorea%20Internet%20Security%20Center%20(KrCERT%2FCC)%3C%2FA%3E%20reported%20a%20zero-day%20remote%20code%20execution%20(RCE)%20exploit%20for%20the%20Adobe%20Flash%20Player%20vulnerability%20CVE-2018-4878%20actively%20being%20used%20in%20the%20wild.%20%3CA%20href%3D%22https%3A%2F%2Fhelpx.adobe.com%2Fsecurity%2Fproducts%2Fflash-player%2Fapsa18-01.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAdobe%20has%20since%20published%20an%20advisory%3C%2FA%3E%20and%20has%20plans%20to%20release%20a%20patch%20the%20week%20of%20February%205.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAt%20the%20moment%2C%20the%20attack%20is%20targeted%20and%20is%20limited%20to%20a%20specific%20region%20in%20East%20Asia.%20The%20reported%20attack%20uses%20a%20malformed%20Flash%20object%20embedded%20in%20a%20Microsoft%20Excel%20document.%20The%20same%20exploit%20can%20be%20embedded%20in%20other%20content%20that%20support%20Flash%20controls%2C%20including%20web%20content%20delivered%20through%20web%20browsers.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWindows%20Defender%20Antivirus%20detects%20the%20attack%20as%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EExploit%3ASWF%2FKorpode.A%20(exploit%20code)%3C%2FLI%3E%0A%3CLI%3ETrojan%3AWin32%2FKorpode.A%20(dropped%20Trojan%20file)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAttack%20mitigations%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThere%20are%20several%20ways%20that%20this%20attack%20can%20be%20mitigated%20before%20the%20patch%20is%20available%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fwhat-is-protected-view-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EProtected%20view%3C%2FA%3E%20in%20Microsoft%20Office%20can%20prevent%20automatic%20execution%20of%20the%20exploit.%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fthreat-protection%2Fwindows-defender-exploit-guard%2Fattack-surface-reduction-exploit-guard%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAttack%20surface%20reduction%3C%2FA%3E%2C%20a%20capability%20of%20Windows%20Defender%20Exploit%20Guard%20in%20Windows%2010%20Fall%20Creators%20Update%2C%20can%20prevent%20executable%20content%20from%20being%20written%2C%20injected%2C%20or%20launched%20from%20an%20Office%20application.%3C%2FLI%3E%0A%3CLI%3EOn%20machines%20that%20are%20running%20previous%20versions%20of%20Windows%2C%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F2458544%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EEnhanced%20Mitigation%20Experience%20Toolkit%20(EMET)%20attack%20surface%20reduction%3C%2FA%3E%20can%20help%20prevent%20Flash%20objects%20from%20executing.%20(Note%20that%20Microsoft%20has%20announced%20that%20EMET%20will%20no%20longer%20be%20officially%20supported%20after%20July%2031%2C%202018.)%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EWhile%20the%20patch%20remains%20unavailable%2C%20consider%20disabling%20or%20uninstalling%20Flash.%20Prioritize%20disabling%20Flash%20controls%20in%20Microsoft%20Office%20as%20well%20as%20web%20browsers%2C%20including%20Microsoft%20Edge%20and%20Internet%20Explorer.%20Enterprises%20can%20turn%20off%20Flash%20for%20Microsoft%20Edge%20and%20Internet%20Explorer%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-edge%2Fdeploy%2Favailable-policies%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Eusing%20Global%20Policy%3C%2FA%3E.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3EKey%20takeaways%3C%2FSTRONG%3E%3C%2FSPAN%3E%3CSPAN%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThe%20attack%2C%20which%20has%20been%20reported%20in%20the%20wild%2C%20exploits%20an%20unpatched%20Adobe%20Flash%20Player%20vulnerability.%3C%2FLI%3E%0A%3CLI%3EThe%20exploit%20is%20a%20remote%20code%20execution%20(RCE)%20exploit%20that%20requires%20a%20malformed%2C%20embedded%20Flash%20object%20to%20be%20executed.%20The%20reported%20attack%20launches%20the%20Flash%20object%20from%20a%20Microsoft%20Excel%20document.%20The%20same%20exploit%20can%20be%20embedded%20in%20web%20content%20and%20launched%20from%20web%20browsers.%3C%2FLI%3E%0A%3CLI%3EA%20patch%20is%20currently%20unavailable%E2%80%94one%20is%20expected%20from%20Adobe%20during%20the%20week%20of%20February%205.%20While%20the%20patch%20is%20unavailable%2C%20apply%20the%20recommended%20mitigations.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EFor%20the%20latest%20updates%2C%20follow%20%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2Fwdsecurity%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40WDSecurity%20on%20Twitter%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

On February 1, 2018, the Korea Internet Security Center (KrCERT/CC) reported a zero-day remote code execution (RCE) exploit for the Adobe Flash Player vulnerability CVE-2018-4878 actively being used in the wild. Adobe has since published an advisory and has plans to release a patch the week of February 5.

 

At the moment, the attack is targeted and is limited to a specific region in East Asia. The reported attack uses a malformed Flash object embedded in a Microsoft Excel document. The same exploit can be embedded in other content that support Flash controls, including web content delivered through web browsers.

 

Windows Defender Antivirus detects the attack as:

 

  • Exploit:SWF/Korpode.A (exploit code)
  • Trojan:Win32/Korpode.A (dropped Trojan file)

 

Attack mitigations

There are several ways that this attack can be mitigated before the patch is available:

 

  • Protected view in Microsoft Office can prevent automatic execution of the exploit.
  • Attack surface reduction, a capability of Windows Defender Exploit Guard in Windows 10 Fall Creators Update, can prevent executable content from being written, injected, or launched from an Office application.
  • On machines that are running previous versions of Windows, Enhanced Mitigation Experience Toolkit (EMET) attack surface reduction can help prevent Flash objects from executing. (Note that Microsoft has announced that EMET will no longer be officially supported after July 31, 2018.) 
  • While the patch remains unavailable, consider disabling or uninstalling Flash. Prioritize disabling Flash controls in Microsoft Office as well as web browsers, including Microsoft Edge and Internet Explorer. Enterprises can turn off Flash for Microsoft Edge and Internet Explorer using Global Policy.

 

Key takeaways 

  • The attack, which has been reported in the wild, exploits an unpatched Adobe Flash Player vulnerability.
  • The exploit is a remote code execution (RCE) exploit that requires a malformed, embedded Flash object to be executed. The reported attack launches the Flash object from a Microsoft Excel document. The same exploit can be embedded in web content and launched from web browsers.
  • A patch is currently unavailable—one is expected from Adobe during the week of February 5. While the patch is unavailable, apply the recommended mitigations.

For the latest updates, follow @WDSecurity on Twitter.