Flash Player Zero-Day

A zero-day vulnerability is a software defect that doesn’t yet have a patch from the vendor. One of these currently exists for Adobe Flash Player, and it is being actively targeted by a working exploit. This particular defect (CVE-2018-4878) is a use-after-free vulnerability which allows remote code execution. This means that Flash Player tries to read instructions from a memory address that is no longer valid, and that the exploit is able to put malicious code at that memory address, causing Flash Player to execute the malicious code introduced by the exploit.

South Korean security researchers say that North Korea developed this exploit and have embedded it in Microsoft Word documents in an effort to attack South Koreans doing security research on North Korea, and that this has been going on for two or three months.

This zero-day started making news on 1 February, and Adobe says it’ll release a patch the week of 5 February. As in this case, it can take the vendor a while to address a defect like this. So if your character needs to compromise someone’s computer, she might search Dark Web forums for a recent zero-day like this and send it to her target in a phishing email, especially if she knows that her target is not diligent about keeping their computer up-to-date.

And if you use Flash Player, make sure you apply the patch when Adobe releases it. Version 28.0.0.137 is the affected version.

Advertisements

Software updates for Microsoft, Adobe, Wordpress

It was the second Tuesday of the month this week, so Microsoft has released updates to its products. Microsoft characterizes some of these updates as critical. Here’s the April 2016 Microsoft security bulletin.

Adobe has updated its April 2016 security bulletin from last week’s out-of-band announcement. The updated bulletin adds some new items that need updates.

WordPress has released version 4.5. That looks like more of a feature update than a security update. Still, if you host your own wordpress blog, you should probably update. (If, like me, your wordpress blog is hosted on the wordpress.com servers, you don’t need to do anything.)

And if you happen to run SAMBA on Linux (or similar), you need to run your updates, too. There’s a new man-in-the-middle exploit called Badlock which is getting some attention.

2016-03-11 emergency flash player update from Adobe

Adobe has released an update for flash player (here’s the security bulletin). Like Microsoft, Adobe usually release updates on the second Tuesday of the month (and they both did that earlier this week), but this update addresses serious problems in flash player, one of which is being actively exploited.

This is sometimes called an out-of-band update, because they’re releasing it off their normal schedule. That sometimes highlights the importance of the update.

So. Update your flash player.

March 2016 updates from Adobe and Microsoft

Today Adobe and Microsoft have released updates to their software to address critical vulnerabilities. Here’s the Adobe bulletin (it covers updates to Acrobat and Reader), and here’s the Microsoft bulletin (it covers updates to Internet Explorer, Edge, Office, .Net, and other components).