{"id":2986,"date":"2024-09-25T20:44:31","date_gmt":"2024-09-25T20:44:31","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2986"},"modified":"2025-07-29T06:53:18","modified_gmt":"2025-07-29T06:53:18","slug":"threat-advisory-adobe-flash-player-multiple-vulnerabilities-exploited-in-the-wild","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/threat-advisory-adobe-flash-player-multiple-vulnerabilities-exploited-in-the-wild\/","title":{"rendered":"Threat Advisory: Adobe Flash Player Multiple Vulnerabilities exploited in the wild"},"content":{"rendered":"
\n
\"Sign<\/figure>\n<\/div>\n\n\n
\"\"<\/figure>\n\n\n\n
CVSS V3 Base Score Metrics<\/strong><\/td><\/tr>
CVE-ID<\/strong><\/td>CVE-2018-4878<\/strong><\/td>CVE-2018-4877<\/strong><\/td><\/tr>
Exploitability Metrics<\/strong><\/td>Attack Vector<\/td>Network<\/td>Network<\/td><\/tr>
Attack Complexity<\/td>Low<\/td>Low<\/td><\/tr>
Privileges Required<\/td>None<\/td>None<\/td><\/tr>
User Interaction<\/td>Required<\/td>Required<\/td><\/tr>
Scope<\/td>Unchanged<\/td>Unchanged<\/td><\/tr>
Impact Metrics<\/strong><\/td>Confidentiality<\/td>High<\/td>High<\/td><\/tr>
Integrity<\/td>High<\/td>High<\/td><\/tr>
Availability<\/td>High<\/td>High<\/td><\/tr>
Type<\/strong><\/td>Use After Free\/Remote Code Execution<\/td>Use After Free\/Remote Code Execution<\/td><\/tr>
Base Score<\/strong><\/td>8.8<\/td>8.8<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Affected Products<\/strong><\/td><\/tr>
Adobe Flash Player <\/strong>Desktop Runtime version 28.0.0.137 and earlier versions for Windows, Linux and Macintosh.Google Chrome version 28.0.0.137 and earlier for Windows, Macintosh, Linux and Chrome OS.Microsoft Edge and Internet Explorer 11 version 28.0.0.137 and earlier for Windows 10 and 8.1.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Vulnerability Information<\/strong><\/td><\/tr>
#<\/strong><\/td>Vulnerability<\/strong>ID<\/strong><\/td>Description<\/strong><\/td><\/tr>
1<\/strong><\/td>CVE-2018-4878<\/strong><\/td>A use-after-free vulnerability was discovered in Adobe Flash Player before 28.0.0.161. This vulnerability occurs due to a dangling pointer in the Primetime SDK related to the handling of listener objects. A successful attack can lead to arbitrary code execution. This was exploited in the wild in January and February 2018.<\/td><\/tr>
2<\/strong><\/td>CVE-2018-4877<\/strong><\/td>A use-after-free vulnerability was discovered in Adobe Flash Player before 28.0.0.161. This vulnerability occurs due to a dangling pointer in the Primetime SDK related to quality of service functionality. A successful attack can lead to arbitrary code execution.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Safeguards\/Recommendations<\/strong><\/td><\/tr>
Software updates are given below:Adobe Flash Player Desktop Runtime Version 28.0.0.161Updates are available at Flash Player Download Center<\/a> and Flash Player Distribution<\/a>Adobe Flash Player for Google Chrome Version 28.0.0.161Updates are available at Google Chrome Releases<\/a>Adobe Flash Player for Microsoft Edge and Internet Explorer 11 Version 28.0.0.161Updates are available at Microsoft Security Advisory<\/a>Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 28.0.0.161 for Windows, Macintosh, Linux and Chrome OS.Adobe Flash Player installed with Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1 will be automatically updated to the latest version, which will include Adobe Flash Player 28.0.0.161.Vendor advisory<\/a> is available.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
IOCs<\/strong><\/td><\/tr>
hxxp:\/\/www.1588-2040.co[.]kr\/conf\/product_old.jpg
hxxp:\/\/www.1588-2040.co[.]kr\/conf\/product.jpg
hxxp:\/\/www.1588-2040.co[.]kr\/design\/m\/images\/image\/image.php
hxxp:\/\/www.dylboiler.co[.]kr\/admincenter\/files\/board\/4\/manager.php
hxxp:\/\/www.korea-tax[.]info\/main\/local.php
hxxp:\/\/www.korea-tax[.]info\/main\/local.phploadswf_SWFBClass
hxxp:\/\/www.dylboiler.co[.]kr\/service\/store.php
hxxp:\/\/www.dylboiler.co[.]kr\/admincenter\/files\/boad\/4\/manager.php
1f93c09eed6bb17ec46e63f00bd40ebb
4c1533cbfb693da14e54e5a92ce6faba
5f97c5ea28c0401abc093069a50aa1f8
9593d277b42947ef28217325bcc1fe50
394e52e219feb1a5c403714154048728
d2881e56e66aeaebef7efaa60a58ef9b
111d205422fe90848c2f41cc84ebd96a
3142fc8c1142f25698dabe8921996753
3f98c434d7b39de61a8b459180dd46a3
a47176bbc8aa136eb2814f3113617af7
f75a5e7ecc26c089c8d20406ea192c49
PDB path: F:\\work\\flash\\obfuscation\\loadswf\\src<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
AV detection<\/strong><\/td><\/tr>
McAfee         : Exploit-CVE2018- 4878.b
Kaspersky      : Exploit.SWF.Agent.rs
Sophos           : Exp\/20184878-A
ESET-NOD32  : SWF\/Exploit.CVE-2018- 4878.A<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Mitigations<\/strong><\/td><\/tr>
Administrators may also consider implementing Protected View<\/a> for Office.  Protected View opens a file marked as potentially unsafe in Read-only mode.It is safe to uninstall\/disable Adobe Flash from all machines in your organization.Disable Flash on a browser that does not display untrusted Flash content OR enable Click to Play function.Open the Security tab from “Internet Options” in Internet Explorer and set the security level of Internet zone and local intranet zone to “High”.Be careful not to open suspicious office files coming via unknown sender.If you are running Internet Explorer on Flash Player 27 or later and Windows 7 or later you may be able to avoid running it by prompting, to play SWF content.Yara rule<\/a> implementation (not tested)Snort Rule
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:\u201dPossible CVE-2018-4878 check-in alert\u201d; flow:established,to_server; http_uri; content:\u201d?id=\u201d; http_uri; content:\u201d&fp_vs=\u201d; http_uri; content:\u201d&os_vs=\u201d; http_uri; reference: source, Vitali Kremez-Flashpoint; classtype:Trojan-activity; rev:1;)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Version History<\/strong><\/td><\/tr>
Version 1.0<\/strong><\/td>Initial Report with Safeguards\/Recommendations and the released fixes.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n","protected":false},"excerpt":{"rendered":"

CVSS V3 Base Score Metrics CVE-ID CVE-2018-4878 CVE-2018-4877 Exploitability Metrics Attack Vector Network Network Attack Complexity Low Low Privileges Required None None User Interaction Required Required Scope Unchanged Unchanged Impact Metrics Confidentiality High High Integrity High High Availability High High Type Use After Free\/Remote Code Execution Use After Free\/Remote Code Execution Base Score 8.8 8.8 […]<\/p>\n","protected":false},"author":1,"featured_media":2988,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2986","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2986","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2986"}],"version-history":[{"count":4,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2986\/revisions"}],"predecessor-version":[{"id":4349,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2986\/revisions\/4349"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2988"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2986"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2986"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2986"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}