Adobe has published a patch for a critical vulnerability, CVE-2018-5002. This attack is triggered by an Office document that embeds a link to a Flash file stored on people.dohabayt.com. Once executed, the malicious file then downloads a malicious payload from the same domain. Researchers from security firms Icebrg and Qihoo 360, independently discovered the attacks and privately reported them to Adobe.
“The attack loads Adobe Flash Player from within Microsoft Office, which is a popular approach to Flash exploitation since Flash is disabled in many browsers,” Icebrg researchers Chenming Xu, Jason Jones, Justin Warner, and Dan Caselden wrote in Thursday’s blog post.
To prevent downloads, users should ensure their installations prevent Flash from loading at all or at least don’t load Flash without explicit permission.
“The attack loads Adobe Flash Player from within Microsoft Office, which is a popular approach to Flash exploitation since Flash is disabled in many browsers. Contrary to typical tactics, this attack uses a lesser-known feature that remotely includes the Flash content instead of directly embedding it within the document. Only XML wrappers selecting the Flash Player ActiveX control and an OLE Object supplying parameters are present.” Icebrg researchers Chenming Xu, Jason Jones, Justin Warner, and Dan Caselden wrote in Thursday’s blog post.
In an advisory published Thursday, Microsoft provides guidance for turning off ActiveX in Office 2007 and Office 2010.