This article is more than 1 year old

Patch or ditch Adobe Flash: Exploit on sale, booby-trapped Office docs spotted in the wild

ThreadKit leverages flaw fixed in February

In case you needed another reason not to open Adobe Flash or Microsoft Office files from untrusted sources: ThreadKit, an app for building documents that infect vulnerable PCs with malware when opened, now targets a recently patched Flash security bug.

This means less-than-expert hackers can use ThreadKit to craft booby-trapped Office files, and fling them at victims in emails or downloads, so that when they are viewed on unpatched systems, malicious code within the files is executed via the Flash security hole.

Exploit code samples started showing up in the wild a few days ago.

Adobe issued a patch for CVE-2018-4878 in February, warning that an exploit for the vulnerability was circulating via Microsoft Office documents with embedded malicious Flash content

Since the exploit was folded into ThreadKit, examples of fiendish files leverage this latest Flash bug began appearing in antivirus engines.

"Document exploit builder kits like ThreadKit enable even low-skilled threat actors to take advantage of the latest vulnerabilities to distribute malware," infosec biz Proofpoint explained in a blog post late last month.


Exploit kit development has gone to sh$t... ever since Adobe Flash was kicked to the curb


There appears to be quite a few exploit variants circulating, based on Virus Total hashes posted to Pastebin.

Security researcher Claes Splett has even posted a video of building a CVE-2018-478 exploit in ThreadKit on YouTube.

The exploit code takes advantage of a flaw affecting Flash Player versions 23 through

The fix is present in Flash Player version and later. The most recent version of Flash Player is

According to Proofpoint, ThreadKit has been used to create exploits that distribute malware payloads like banking trojans, such as Chthonic and Trickbot, and remote access trojans like FormBook and Loki Bot.

In a statement to The Register, a Microsoft spokesperson said: "We released a security update in February 2018 to help protect customers from this vulnerability affecting Adobe Flash Player. We continue to work closely with Adobe to deliver quality protections that are aligned with Adobe’s update process."

The lesson here is the same as it ever was: patch diligently, consider ditching Flash all together, and don't open email attachments from strangers (or anyone, if you can help it). ®

More about


Send us news

Other stories you might like