The browser is too smart, hackers turn to embed zero-day Flash malicious code into Microsoft Office files

When unable to bypass the Flash browser, attackers are switching to Office files, most recently hackers targeting diplomats in the Middle East.

Because it is increasingly difficult to exploit vulnerabilities in Adobe Flash and other browser plugins, hackers have begun migrating to Microsoft Office to download Flash remotely and then use a zero-day vulnerability to control computers.

On Thursday, Adobe released a serious vulnerability patch CVE-2018-5002. Error with buffer overflow caused by Office file with embedded path to Flash file stored on people.dohabayt.com. When executing, the infected file will download the malicious payload from that domain. That is the evaluation of researchers at Icebrg and Qihoo 360, who discovered and reported separately to Adobe.

Over the past few years, the browser has begun to block Flash content by default to prevent drive-by attacks (exploits from malicious websites) exploiting Adobe's multi-user player vulnerability. However, some versions of Microsoft Office still download Flash, do not use or use very little, CEO Icebrg William Peteroy said. To avoid, users should make sure to prevent Flash from downloading when installed, or ask before downloading.

'Adobe Flash Player downloaded from Microsoft Store is a popular way to exploit via Flash because it has been disabled in the browser', researchers at Icebrg said. Often the Flash file is embedded in the document, making it undetectable by antivirus software. 'Unlike normal tactics, this type of attack uses lesser known features, takes remote Flash content instead of embedding it directly into the text. Only XML packages choose the Flash Player ActiveX and OLE Object to show the new parameters displayed '.

The browser is too smart, hackers turn to embed zero-day Flash malicious code into Microsoft Office files Picture 1
Examples of remote Flash objects embedded in Office documents

This attack makes the document without the exploit code, the harder it is to be detected. Remote downloads make it easy for an attacker to use only those vulnerabilities on predefined IP addresses instead of anyone opening the document, making it easy to hide them for long periods of time.

Over the years, security researchers have advised users to remove stand-alone Flash applications and use the default browser to block Flash content. From the recent incident, you should block Flash content in documents, especially from untrusted sources. If you still use Flash, make sure you are using the latest version 30.0.0.113 which can be downloaded here https://get.adobe.com/flashplayer/

See more:

1. 6 ways to prevent Drive-by Download
2. Hackers found a way to bypass Microsoft Office 365 Safe Links
3. The unpatched Microsoft Word DDE vulnerability is exploited in a massive malware attack