Zero-day vulnerability in Adobe Flash Player

Stack-based buffer overflow
CVE-2018-5002

The vulnerability was reported to Adobe by the following researchers: Chenming Xu and Jason Jones of ICEBRG, Bai Haowen, Zeng Haitao and Huang Chaowen of 360 Threat Intelligence Center of 360 Enterprise Security Group, and Yang Kang, Hu Jiang, Zhang Qing, and Jin Quan of Qihoo 360 Core Security (@360CoreSec), Tencent PC Manager.

The attacks exploiting this vulnerability mainly target the Middle East.

Vulnerability details

Advisory: SB2018060720 - Multiple vulnerabilities in Adobe Flash Player

Vulnerable component: Adobe Flash Player

CVE-ID: CVE-2018-5002

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-121 - Stack-based Buffer Overflow

Description:

The vulnerability allows a remote attacker to compromise target system.

The vulnerability exists due to a stack-based buffer overflow when processing .swf files. A remote attacker can create a specially crafted .swf file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow the attacker to compromise vulnerable system.

Note: this vulnerability is being actively exploited in the wild.


Latest references in media:

- Exploit kits: Spring 2018 review [2018-06-19 05:41:20]

- Adobe Flash Player 0-Day (CVE-2018-5002) [2018-06-15 04:21:03]

- Patch Tuesday, June 2018 [2018-06-15 04:20:57]

- Analysis of the evolution of exploit kits in the threat landscape [2018-06-14 09:10:09]

- Exploit Kits Target Recent Flash, Internet Explorer Zero-Days [2018-06-13 18:00:09]

- Overview: Microsoft June 2018 Patch Tuesday [2018-06-13 14:41:32]

- Overview: Microsoft June 2018 Patch Tuesday [2018-06-13 14:40:13]

- Patch Tuesday Brings Fixes for Adobe, Spectre [2018-06-13 13:30:07]

- June Patch Tuesday: Microsoft Addresses DNS-related Vulnerability, Adobe Patches Critical Flash Player Flaw [2018-06-13 10:30:14]

- Emergency update: Zero-day attack takes over Adobe Flash [2018-06-13 06:11:19]

- Microsoft security updates for June 2018 - Patch for 50 Vulnerabilities [2018-06-13 06:10:58]

- Adobe Flash Player 0-Day (CVE-2018-5002) [2018-06-13 03:31:02]

- Patch Tuesday, June 2018 [2018-06-13 03:30:56]

- Microsoft June 2018 Patch Tuesday Fixes 50 Security Issues [2018-06-12 20:00:22]

- Weekly Threat Intelligence Brief: June 12, 2018 [2018-06-12 16:11:15]

- Patch management is not just IT’s responsibility, get your whole team on board [2018-06-11 08:03:35]

- Week in review: Zip Slip, GDPR and the US, why creativity is key to security [2018-06-10 20:09:32]

- Security Affairs newsletter Round 166 тАУ News of the week [2018-06-10 07:01:32]

- Adobe Patched Zero-Day Vulnerability [2018-06-09 22:11:12]

- Flash zero-day shows up in Qatar amid geopolitical struggles [2018-06-09 01:12:54]

- Emergency Update: Zero-Day Exploit in Adobe Flash [2018-06-08 18:54:01]

- Windows users attacked via critical Flash zero-day: Patch now, urges Adobe | ZDNet [2018-06-08 14:14:31]

- Adobe releases fix for actively exploited Flash Player zero-day [2018-06-08 12:56:28]

- Zero-Day Flash Exploit Targeting Middle East [2018-06-08 12:27:43]

- Stop us if you've heard this one: Adobe Flash gets emergency patch for zero-day exploit [2018-06-08 12:02:01]

- Adobe patches critical zero-day vuln in Flash Player, again | TheINQUIRER [2018-06-08 11:50:26]

- Adobe Flash Zero-day - Exploited in Wild by Attackers [2018-06-08 08:55:02]

- Adobe Issues Emergency Patch for Flash Zero-Day [2018-06-07 21:16:57]

- Flash zero-day exploit. Act now! [2018-06-07 20:32:06]

- Adobe Patches Zero-Day Flash Flaw [2018-06-07 19:11:58]

- Adobe has released a security patch update for a critical vulnerability (CVE-2018-5002) in Flash Player that is actively being exploited in the wild. [2018-06-07 18:19:49]

- Adobe fixed the CVE-2018-5002 Flash Zero-Day exploited in targeted attacks in the Middle East [2018-06-07 16:18:26]

- Adobe Patches Flash Zero-Day [2018-06-07 15:25:25]

- Adobe Patches Flash Zero-Day Exploited in Targeted Attacks [2018-06-07 14:36:24]

Vulnerability Scanning SaaS

Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.