Full Report
Important update! Adobe Systems released a critical security update on 6.02.2017 to fix the vulnerability discussed in this post. We recommend you to apply the update immediately. Summary of the vulnerability CVE-2018-4878 is a use-after-free vulnerability present in Adobe Flash Player 28.0.0.137 and its earlier versions are being exploited in the wild. A successful exploitation […] The post An analysis of an MS office document exploiting a zero-day flash player vulnerability (CVE-2018-4878) first appeared on Home.
Analysis Summary
# Vulnerability: Adobe Flash Player Use-After-Free (Zero-Day)
## CVE Details
- **CVE ID:** CVE-2018-4878
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-416 (Use After Free)
## Affected Systems
- **Products:** Adobe Flash Player
- **Versions:** 28.0.0.137 and earlier versions
- **Configurations:** Systems with Flash Player plugin enabled, often targeted via embedded Flash content in Microsoft Office documents (Excel, Word) or malicious web pages.
## Vulnerability Description
CVE-2018-4878 is a critical use-after-free vulnerability. This occurs when an application continues to use a pointer after it has been freed, which can lead to the execution of arbitrary code. In this specific case, attackers embed a malicious Flash (.swf) file inside a Microsoft Office document. When the document is opened and the Flash content is processed, the flaw allows the attacker to gain control of the system's memory execution flow.
## Exploitation
- **Status:** Exploited in the wild (Initially discovered as a zero-day).
- **Complexity:** Medium (Requires crafting a malicious document/file).
- **Attack Vector:** Network (Remote via malicious email attachments or drive-by downloads).
## Impact
- **Confidentiality:** High (Full data access potential)
- **Integrintegrity:** High (System takeover and malware installation)
- **Availability:** High (Can lead to system crashes or persistent denial of service)
## Remediation
### Patches
- Adobe released a critical security update on **February 6, 2018**.
- Users should update to **Adobe Flash Player version 28.0.0.161** or higher.
### Workarounds
- **Disable Flash:** Uninstall Adobe Flash Player if not required for business operations.
- **Office Kill-Bit:** Implement the "kill-bit" for Flash ActiveX controls within Microsoft Office via registry settings to prevent Flash from loading in documents.
- **Protected View:** Ensure Microsoft Office "Protected View" is enabled to limit the execution of embedded content from untrusted sources.
## Detection
- **Indicators of Compromise:** Unusual outbound network traffic from Microsoft Office processes (Excel.exe, Winword.exe), presence of unexpected .swf files in temp directories.
- **Detection Methods:**
- Security software with behavior-based detection for Office-to-shell spawning.
- Scanning email attachments for embedded Flash objects.
- YARA rules targeting the specific use-after-free trigger in SWF byte code.
## References
- **Vendor Advisory (Adobe):** hxxps[://]helpx[.]adobe[.]com/security/products/flash-player/apsb18-03[.]html
- **Quick Heal Blog Analysis:** hxxps[://]www[.]quickheal[.]com/blogs/an-analysis-of-an-ms-office-document-exploiting-a-zero-day-flash-player-vulnerability-cve-2018-4878/