Flash Player Zero-Day

A zero-day vulnerability is a software defect that doesn’t yet have a patch from the vendor. One of these currently exists for Adobe Flash Player, and it is being actively targeted by a working exploit. This particular defect (CVE-2018-4878) is a use-after-free vulnerability which allows remote code execution. This means that Flash Player tries to read instructions from a memory address that is no longer valid, and that the exploit is able to put malicious code at that memory address, causing Flash Player to execute the malicious code introduced by the exploit.

South Korean security researchers say that North Korea developed this exploit and have embedded it in Microsoft Word documents in an effort to attack South Koreans doing security research on North Korea, and that this has been going on for two or three months.

This zero-day started making news on 1 February, and Adobe says it’ll release a patch the week of 5 February. As in this case, it can take the vendor a while to address a defect like this. So if your character needs to compromise someone’s computer, she might search Dark Web forums for a recent zero-day like this and send it to her target in a phishing email, especially if she knows that her target is not diligent about keeping their computer up-to-date.

And if you use Flash Player, make sure you apply the patch when Adobe releases it. Version 28.0.0.137 is the affected version.

Advertisements

2015-12-28 Adobe updates

Adobe has released updates to Adobe Flash Player. This update addresses critical security problems. If you you have Flash Player installed on your computer (which is likely), please update it.

Looks like if you let Firefox and Google Chrome update themselves, that may be enough to update Flash Player in those browsers. Otherwise, the Adobe Flash Player page can tell you if you need an update (you may want to visit this page in each web browser you use).

For more technical information, see the Adobe security bulletin.

This bulletin also includes an update for Adobe AIR. If you think AIR is installed on your computer, here’s the Adobe AIR page.