Adobe has rushed out an unscheduled patch to fix two critical vulnerabilities, including one being actively exploited in the wild by suspected North Korean hackers.
The Priority 1 bulletin APSB18-03 fixes two use after free flaws in the bug-prone Flash Player which could lead to remote code execution.
“Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users,” the firm said in an advisory. “These attacks leverage Office documents with embedded malicious Flash content distributed via email.”
That bug was first flagged on January 31 when South Korean CERT KISA confirmed it existed in Adobe Flash Player 28.0.0.137 and earlier versions.
FireEye soon waded in, claiming the threat actors exploiting it were known to them as suspected North Korean group TEMP.Reaper (aka Group 123).
“We have observed TEMP.Reaper operators directly interacting with their command and control infrastructure from IP addresses assigned to the STAR-KP network in Pyongyang. The STAR-KP network is operated as a joint venture between the North Korean Government's Post and Telecommunications Corporation and Thailand-based Loxley Pacific,” it explained last week.
“Historically, the majority of their targeting has been focused on the South Korean government, military, and defense industrial base; however, they have expanded to other international targets in the last year.”
The purpose of the exploit is to download an encrypted embedded payload from a compromised third-party website hosted in South Korea, with the end goal to distribute the Dogcall (Rokrat) Remote Access Trojan.
The second vulnerability patched by Adobe yesterday (CVE-2018-4877) was discovered by the Qihoo 360 Vulcan Team working with Trend Micro's Zero Day Initiative (ZDI).
It’s also a use after free bug which could lead to remote code execution, although isn’t thought to be active in the wild.