Nork hackers exploit Flash bug to pwn South Koreans. And Adobe will deal with it next week

Maybe it's a good time to just delete the thing

By Iain Thomson in San Francisco

Posted in Security, 1st February 2018 21:51 GMT

Adobe will next week emit patches to squash a security bug in Flash that can be exploited by malicious webpages and documents, when opened, to hijack and spy on vulnerable computers.

The flaw is being abused right now by North Korean hackers to infect victims' PCs. You should update your browser or Flash installation – if you're still using Flash – as soon as the fix lands so other miscreants can't exploit the vulnerability and potentially commandeer your machine.

The programming cockup (CVE-2018-4878) came to light after South Korea's Computer Emergency Response Team found malicious code hiding in Microsoft Office documents, web pages, and spam emails, that exploits the Flash bug to infect Windows PCs with malware.

According to Simon Choi, director of the security research center at Korean infosec biz Hauri, the security hole is being abused by North Korea to spy on those in the South investigating the hermit nation's dictatorship. Victims are tricked into opening dodgy Microsoft Office spreadsheets that hack the PC via the Flash hole:

Adobe today said it is working on a patch that should be released "during the week of" February 5

All versions of Flash are vulnerable to the aforementioned issue. The Photoshop maker said that – so far – only Windows machines have been attacked, although Windows, Macintosh, Linux, and Chrome OS systems are potentially vulnerable.

Now's a good time to ensure Flash is set to only play when specifically told to – so-called "click to run" – so that malicious Flash files invisibly embedded in documents and webpages can't silently kick off without you knowing. There are other mitigations listed here.

The other alternative is just to delete Flash from your system. Web browsers are shunning this internet dumpster fire. Even Adobe's had enough of the wretched thing, vowing to kill it by 2020. ®

Sign up to our NewsletterGet IT in your inbox daily

36 Comments

More from The Register

Chinese web giant finds Windows zero-day, stays schtum on specifics

Quihoo 360 plays the responsible disclosure game

Stop us if you've heard this one: Adobe Flash gets emergency patch for zero-day exploit

The internet's screen door gets kicked open once again

High-end router flinger DrayTek admits to zero day in bunch of Vigor kit

'It may be possible for an attacker to intercept your router'

So you’ve got a zero-day – do you sell to black, grey or white markets?

Bsides SF Bug bounty sales are getting very complicated, financially and morally

Shadow Brokers lay out pitch – and name price – for monthly zero-day subscription service

$21k lucky dip for exploits

Vanilla Forums has a plain-flavoured zero-day

Updated PHPMailer bug leads to remote code execution via HTTP

Attackers use ancient zero-day to pop Asian banks, govts

Flawed desktop publishing tool for readers of Urdu and Arabic phlayed with phishing

FREE zero-day for every reader: AT&T's DirecTV kit has a root hole – and no one wants to patch it

echo "Bot herders will love"; cat /etc/passwd #

Zero-day vulnerability count up by, er, zero in 2015

Mind the app, says Secunia as bug count remains stable

Hate 'contact us' forms? This PHPmailer zero day will drop shell in sender

Borked patch opens remote code execution on web servers