Adobe: Two critical Flash security bugs fixed for the price of one

Emergency patch lands, shuts pair of remote exploitable holes, one used by Norks

By Iain Thomson in San Francisco

Posted in Security, 6th February 2018 20:21 GMT

Adobe has issued an emergency security patch for two bugs in its Flash player – after North Korea's hackers were spotted exploiting one of the flaws to spy on people investigating the creepy hermit nation.

At the start of the month, South Korea's Computer Emergency Response Team put the world on alert after it found miscreants abusing Flash to take control of and surveil Windows PCs in its country via Office documents carrying embedded malicious SWF files. Subsequent analysis showed the hacking was being done by Group 123, one of Kim Jong-un's cyber-squads, who were targeting folks investigating North Korea's abuses and operations.

Adobe acknowledged its software was still a security shit show shortly afterwards, and promised a patch this week.

Now that update has landed – and it contains a fix for not just one programming blunder but two, thanks to researchers at Qihoo 360 Vulcan Team. The Qihoo crew found a remote-code execution hole in Flash that is addressed with this update. Both bugs are rated critical for all supported OSes except the Linux build of Adobe Flash Player Desktop Runtime.

Essentially, patch your Flash installation now to stop scumbags exploiting two newly discovered bugs, one of which is being used by the North Koreans and the other was found by Qihoo's infosec boffins. Opening a webpage or other document with a malicious Flash file embedded on a vulnerable computer is enough to trigger a malware infection.

"These updates address critical vulnerabilities that could lead to remote code execution, and Adobe recommends users update their product installations to the latest versions," the Photoshop giant said today.

The Nork-exploited remote-code execution bug is CVE-2018-4878, and the Vulcan Team found CVE-2018-4877.

So, get updating, or better still, just dump the plugin. The Flash suite is over 20 years old, and is due for retirement at 2020 at the latest. HTML5 or bust, baby. ®

Sign up to our NewsletterGet IT in your inbox daily

25 Comments

More from The Register

Exploit kit development has gone to sh$t... ever since Adobe Flash was kicked to the curb

Coinkidink? Nah. Crooks are switching tactics

Dolby sues Adobe for dodging license fees

Updated Copyright case puts royalty model under the microscope

Patch or ditch Adobe Flash: Exploit on sale, booby-trapped Office docs spotted in the wild

ThreadKit leverages flaw fixed in February

Adobe: New Unified Customer Profile will personalise ads as never before

Adobe Summit Cloudy marketing tools get AI powers... what do you mean, bad timing?

Adobe dis-Connect: Corp collab service has been knackered for days

Meetings cancelled as conferencing tool goes dark following weekend maintence

NBD: Adobe just dumped its private PGP key on the internet

Updated Change the name to A-d'oh!-be

Nork hackers exploit Flash bug to pwn South Koreans. And Adobe will deal with it next week

Maybe it's a good time to just delete the thing

Adobe's naughty Chrome telemetry code had XSS problem

Since patched, but a bad look for Adobe when it can't even get snoopware right

It's fluffy bottom line time at Adobe. That's a good thing, if you were wondering

It's raining money from that sweet, sweet cloud

Adobe will kill Flash by 2020: No more updates, support, tears, pain...

Buggy multimedia nightmare won't see President Zuckerberg's inauguration