CVE-2018-5002: A TALE OF FLASH AND EXCEL
June 26, 2018
You’d think that with all the successful exploits out there, hackers could just sit back and relax, knowing that their malware is doing the dirty work it was designed to do – largely undisturbed. The fact that they continue to come up with new twists on vulnerabilities – especially in systems and applications that have been around for years – is a testimony to their ingenuity and ambition.
In the latest exploit, hackers have struck veteran spreadsheet program Excel with an attack that cannot be detected by standard security systems – because there is nothing to detect. The new attack, known as CVE-2018-5002, involves embedding (using ActiveX) a Flash file in an Excel document, which downloads yet another Flash file when it is activated. When downloaded, the initial Flash file decrypts the second one, where the malware is located – and which, once executed, downloads a malicious shell and executes it, using instructions from the command and control server.
The vulnerability was discovered independently by several security teams, mostly in China. Adobe has issued an update to Flash player that covers the vulnerability, but in order to prevent the exploit, users have to download the update. Anti-virus or other security systems are useless here, of course, since there is nothing wrong, or even unusual, about an Excel file with an embedded Flash file. The exploit is designed to work around Flash Player’s internal security protocols as well.
As we’ve mentioned in other blog posts in this series, Votiro customers have nothing to worry about. An Excel file with an embedded Flash file gets the full treatment, with the file deconstructed, and the offending code – the embedded ActiveX holding the Flash file – sanitized, and the file reconstructed. While hackers continually spin their wheels looking for the Next Big Exploit, Votiro users continue to remain safe, no matter what they come up with