Adobe Systems today released a critical security update for a pair of vulnerabilities in Flash Player, one of which has been actively exploited in phishing attacks attributed to North Korean APT actor Group 123, which reportedly is infecting targets with the ROKRAT remote administrative tool.

Both bugs are classified as use-after-free vulnerabilities that can result in remote code execution on devices operating on the Windows, Mac, Linux or Chrome operating system.

It was Kr-CERT/CC, South Korea's national computer emergency response team, that found CVE-2018-4878, the zero-day bug reportedly leveraged by hackers. Discovery of the other flaw, CVE-2018-4877, is credited to "bo13oy" of Qihoo 360's Vulcan Team, working with Trend Micro's Zero Day Initiative.