Microsoft Office users may find an unpleasant surprise lurking in the form of an infected, remotely embedded Adobe Flash Player bug.
On June 6, techadvisory.org reported that a few weeks ago, Microsoft announced it would block future content that is embedded with Adobe Flash, Shockwave, and even their own Silverlight platform from Office 365 by January 2019. Microsoft cited that malware authors have been exploiting systems through Word, Excel, and PowerPoint files with embedded content.
On June 7, technology publication Ars Technica reported that the popular media player has been blocked from many browsers, but “at least some versions of Microsoft Office still download Flash with little or no user interaction.” This has resulted in problems.
Network security company Icebrg identified the Adobe Flash vulnerability, which appeared to target people and organizations in the Middle East. The exploit, or a way to take advantage of a vulnerability in an application or program, comes through Adobe Flash via an infiltration, which “begins by downloading and executing a remote Shockwave Flash (SWF) file.”
Icebrg’s blog explained, “Unlike most Flash exploits delivered with Microsoft Office, this document uses a lesser-known feature to remotely include all SWF content from the attacker’s server instead of embedding it directly in the document.”
“The vulnerability (CVE-2018-5002) allows for a maliciously crafted Flash object to execute code on victim computers, which enables an attacker to execute a range of payloads and actions.”
Microsoft has provided guidance for turning off ActiveX in Office 2007 and Office 2010 in order to avoid the Adobe Flash vulnerability, according to Ars Technica.
“ActiveX controls,” according to Microsoft Support, “are small apps that allow websites to provide content such as videos and games. They also let you interact with content like toolbars and stock tickers when you browse the web. However, these apps can sometimes malfunction, or give you content that you don't want. In some cases, these apps might be used to collect info from your PC, damage info on your PC, install software on your PC without your agreement, or let someone else control your PC remotely.”
Microsoft provided the following directions to prevent Flash Player from opening in Office 2007 and Office 2010: “To disable all ActiveX controls in Microsoft Office 2007 and Microsoft Office 2010, including Adobe Flash Player in Internet Explorer, perform the following steps: 1. Click File, click Options, click Trust Center, and then click Trust Center Settings. 2. Click ActiveX Settings in the left-hand pane, and then select Disable all controls without notifications.3. Click OK to save your settings.”
Some are saying it may be better to throw the baby out with the bath water, or ditch Adobe Flash Player with the Adobe Flash vulnerability.
The Register UK reported, “In case you needed another reason not to open Adobe Flash or Microsoft Office files from untrusted sources: ThreadKit, an app for building documents that infect vulnerable PCs with malware when opened, now targets a recently patched Flash security bug. This means less-than-expert hackers can use ThreadKit to craft booby-trapped Office files, and fling them at victims in emails or downloads so that when they are viewed on unpatched systems, malicious code within the files is executed via the Flash security hole.”
In a statement to The Register, a Microsoft spokesperson said the company released a security update in February “to help protect customers from this vulnerability affecting Adobe Flash Player.” The Register UK wrote, “The lesson here is the same as it ever was: patch diligently, consider ditching Flash altogether, and don't open email attachments from strangers (or anyone, if you can help it).”