The South Korean Computer Emergency Response Team issued a warning Wednesday of a new Adobe Flash Player zero-day spotted in the wild. The security bulletin warns that the attacks are focused on South Koreans and involve malicious Microsoft Word documents.
According to the South Korean Computer Emergency Response Team (KR-CERT), the zero-day is believed to be a Flash SWF file embedded in MS Word documents. Impacted is Adobeâ€™s most recent Flash Player 22.214.171.124 and earlier.
â€śAn attacker may be able to convince a user to open a Microsoft Office document, web page, or spam mail containing a Flash file,â€ť according to a machine translationÂ of the KR-CERT security bulletin.
Adobe released a security advisory on Thursday acknowledging the vulnerability and attacks.
â€śAdobe is aware of a report that an exploit forÂ CVE-2018-4878Â exists in the wild, and is being used in limited, targeted attacks against Windows users. Adobe will address this vulnerability in a release planned for the week of February 5,â€ť according the advisory.
Adobe said the zero-day is exploiting the vulnerability CVE-2018-4871, an out-of-bounds read issue. According to Mitreâ€™s CVE record it was discovered in Adobe Flash Player before 126.96.36.199. It rates the threat as â€ścriticalâ€ť. Adobe credits KR-CERT for reporting this issue.
Adobe said affected products are versions of Adobe Flash Player Desktop Runtime (Win/Mac), Adobe Flash Player for Google Chrome (Win/Mac/Linux/Chrome OS), Adobe Flash Player for Microsoft Edge and Internet Explorer 11 (Win 10 & 8) and Adobe Flash Player Desktop Runtime (Linux). A complete list isÂ available here.
â€śThis vulnerability occurs because of computation that reads data that is past the end of the target buffer. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure,â€ťÂ according to the Mitre description of the vulnerability.
Simon Choi, a security researcher with the South Korean security firm Hauri, claimed on Twitter that the zero-day vulnerability originated in North Korea and has been in use since mid-November 2017. Targeted are South Koreans researching online for information about North Korea.
KR-CERT is recommending users refrain from using Microsoftâ€™s Internet Explorer browser and use Mozillaâ€™s Firefox browser instead.
On Thursday Adobe recommended:â€śBeginning with Flash Player 27, administrators have the ability to change Flash Playerâ€™s behavior when running on Internet Explorer on Windows 7 and below by prompting the user before playing SWF content. For more details, see this administration guide.Â Administrators may also consider implementing Protected View for Office. Protected View opens a file marked as potentially unsafe in Read-only mode,â€ť Adobe said.