This article is more than 1 year old
Adobe: Two critical Flash security bugs fixed for the price of one
Emergency patch lands, shuts pair of remote exploitable holes, one used by Norks
Adobe has issued an emergency security patch for two bugs in its Flash player – after North Korea's hackers were spotted exploiting one of the flaws to spy on people investigating the creepy hermit nation.
At the start of the month, South Korea's Computer Emergency Response Team put the world on alert after it found miscreants abusing Flash to take control of and surveil Windows PCs in its country via Office documents carrying embedded malicious SWF files. Subsequent analysis showed the hacking was being done by Group 123, one of Kim Jong-un's cyber-squads, who were targeting folks investigating North Korea's abuses and operations.
Adobe acknowledged its software was still a security shit show shortly afterwards, and promised a patch this week.
Now that update has landed – and it contains a fix for not just one programming blunder but two, thanks to researchers at Qihoo 360 Vulcan Team. The Qihoo crew found a remote-code execution hole in Flash that is addressed with this update. Both bugs are rated critical for all supported OSes except the Linux build of Adobe Flash Player Desktop Runtime.
Essentially, patch your Flash installation now to stop scumbags exploiting two newly discovered bugs, one of which is being used by the North Koreans and the other was found by Qihoo's infosec boffins. Opening a webpage or other document with a malicious Flash file embedded on a vulnerable computer is enough to trigger a malware infection.
"These updates address critical vulnerabilities that could lead to remote code execution, and Adobe recommends users update their product installations to the latest versions," the Photoshop giant said today.
The Nork-exploited remote-code execution bug is CVE-2018-4878, and the Vulcan Team found CVE-2018-4877.
So, get updating, or better still, just dump the plugin. The Flash suite is over 20 years old, and is due for retirement at 2020 at the latest. HTML5 or bust, baby. ®