Nork hackers exploit Flash bug to pwn South Koreans. And Adobe will deal with it next week

Maybe it's a good time to just delete the thing

By Iain Thomson in San Francisco


Adobe will next week emit patches to squash a security bug in Flash that can be exploited by malicious webpages and documents, when opened, to hijack and spy on vulnerable computers.

The flaw is being abused right now by North Korean hackers to infect victims' PCs. You should update your browser or Flash installation – if you're still using Flash – as soon as the fix lands so other miscreants can't exploit the vulnerability and potentially commandeer your machine.

The programming cockup (CVE-2018-4878) came to light after South Korea's Computer Emergency Response Team found malicious code hiding in Microsoft Office documents, web pages, and spam emails, that exploits the Flash bug to infect Windows PCs with malware.

According to Simon Choi, director of the security research center at Korean infosec biz Hauri, the security hole is being abused by North Korea to spy on those in the South investigating the hermit nation's dictatorship. Victims are tricked into opening dodgy Microsoft Office spreadsheets that hack the PC via the Flash hole:

Adobe today said it is working on a patch that should be released "during the week of" February 5

All versions of Flash are vulnerable to the aforementioned issue. The Photoshop maker said that – so far – only Windows machines have been attacked, although Windows, Macintosh, Linux, and Chrome OS systems are potentially vulnerable.

Now's a good time to ensure Flash is set to only play when specifically told to – so-called "click to run" – so that malicious Flash files invisibly embedded in documents and webpages can't silently kick off without you knowing. There are other mitigations listed here.

The other alternative is just to delete Flash from your system. Web browsers are shunning this internet dumpster fire. Even Adobe's had enough of the wretched thing, vowing to kill it by 2020. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Adobe Flash zero-day exploit... leveraging ActiveX… embedded in Office Doc... BINGO!

It's like a greatest hits album of terrible security policies

We don' need no stinkin' bounties: VirtualBox guest-to-host escape zero-day lands at GitHub

Bug hunter rages at wearisome disclosure process

Chinese web giant finds Windows zero-day, stays schtum on specifics

Quihoo 360 plays the responsible disclosure game

Microsoft's Jet crash: Zero-day flaw drops after deadline passes

Updated Don't click on that dodgy link, people

Stop us if you've heard this one: Adobe Flash gets emergency patch for zero-day exploit

The internet's screen door gets kicked open once again

High-end router flinger DrayTek admits to zero day in bunch of Vigor kit

'It may be possible for an attacker to intercept your router'

Do you really think crims would do that? Just go on the 'net and exploit a Windows zero-day?

No official patch for under-attack ALPC vuln – so grab these mitigations instead

So you’ve got a zero-day – do you sell to black, grey or white markets?

Bsides SF Bug bounty sales are getting very complicated, financially and morally

Shadow Brokers lay out pitch – and name price – for monthly zero-day subscription service

$21k lucky dip for exploits

Attackers use ancient zero-day to pop Asian banks, govts

Flawed desktop publishing tool for readers of Urdu and Arabic phlayed with phishing