Threat Management, Malware, Network Security, Phishing, Vulnerability Management

Attackers exploiting critical Adobe Flash Player zero-day bug; no patch until next week

Adobe Systems says it plans to address a critical zero-day vulnerability in Flash Player that a researcher asserts is being actively exploited in the wild to attack South Koreans conducting research on North Korea.

A Feb. 1 advisory from Adobe warns that the use-after-free flaw, CVE-2018-4878, can be leveraged by attackers to take control of an affected system and is being used in “limited, targeted attacks against Windows users.”

Kr-CERT/CC, South Korea's national computer emergency response team, issued a security bulletin on Wednesday, Jan. 31, stating that attackers can exploit the flaw by embedding malicious Flash content in spam, emailed Microsoft Office documents, or web pages.

Simon Choi, director of the Next Generation Security Research Center at Seoul-based computer software company Hauri, Inc. – also affiliated with South Korea's Cyber Warfare Intelligence Center (CWIC) – tweeted that the zero-day bug was first exploited by North Korea in mid-November 2017, in order to target “South Koreans who mainly do research on North Korea.”

Until a patch is distributed, Kr-CERT recommends that users remove Flash Player, avoid opening suspicious emails, and keep anti-virus programs updated. Alternatively, users may be able to limit the potential for damage by using Firefox as their browser.

Adobe warns the following products are affected: versions and earlier of Adobe Flash Player Desktop Runtime (Windows and Mac), Adobe Flash Player for Google Chrome (Windows, Macintosh, Linux and Chrome OS), Adobe Flash Player for Microsoft Edge and Internet Explorer 11 (Windows 10 and 8.1), and Adobe Flash Player Desktop Runtime (Linux).

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.