This article is more than 1 year old

Stop us if you've heard this one: Adobe Flash gets emergency patch for zero-day exploit

The internet's screen door gets kicked open once again

Adobe has kicked out an out-of-band update for a security vulnerability in Flash – after learning the bug was being actively exploited in the wild by hackers to hijack PCs.

The Photoshop giant said today its Flash Player update should be a top installation priority for Mac, Windows, and Linux systems.

One of the vulnerabilities addressed in the patch, CVE-2018-5002, is a remote code execution flaw stemming from a buffer overflow bug. Computer security experts believe the flaw is being exploited right now by miscreants to commandeer victims' PCs.

"Adobe is aware of a report that an exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users," a spokesperson for the Creative Cloud goliath said.

"These attacks leverage Office documents with embedded malicious Flash content distributed via email."

According to researchers at security shop Icebrg, the attacks have been concentrated in the Middle East, quite possibly against individuals in Qatar. In this case, the Flash code flaw is exploited via the ActiveX plugin for Office. Marks are sent an Excel spreadsheet that purports to contain salary information, but when opened pulls up Flash and executes the exploit code.

"The attack loads Adobe Flash Player from within Microsoft Office, which is a popular approach to Flash exploitation since Flash is disabled in many browsers," explained Icebrg in its summary of the attack.

"Attackers typically embed a Flash file within a document, which may contain the entire exploit, or may stage the attack to download exploits and payloads more selectively."


Nork hackers exploit Flash bug to pwn South Koreans. And Adobe will deal with it next week


In addition to the hidden zero-day exploit code, Team Icebrg said the malicious documents can be spotted through their use of a mismatched Let's Encrypt HTTPS certificate, and relies on a number of recently created domain names from a hosting provider that has been previously associated with malware operations.

"While this attack leveraged a zero-day exploit, individual attacker actions do not happen in isolation," the researchers wrote.

"There are several other behavioral aspects that can be used for detection."

In addition to CVE-2018-5002, the Flash update addresses a remote code execution flaw from a type confusion error (CVE-2018-4945), and two information disclosure flaws triggered by an integer overflow (CVE-2018-5000) and an out-of-bounds read error (CVE-2018-5001).

Needless to say, users and administrators should test and install the updates as quickly as possible. ®

More about


Send us news

Other stories you might like