Security

Adobe: Two critical Flash security bugs fixed for the price of one

Emergency patch lands, shuts pair of remote exploitable holes, one used by Norks

By Iain Thomson in San Francisco

25 SHARE

Adobe has issued an emergency security patch for two bugs in its Flash player – after North Korea's hackers were spotted exploiting one of the flaws to spy on people investigating the creepy hermit nation.

At the start of the month, South Korea's Computer Emergency Response Team put the world on alert after it found miscreants abusing Flash to take control of and surveil Windows PCs in its country via Office documents carrying embedded malicious SWF files. Subsequent analysis showed the hacking was being done by Group 123, one of Kim Jong-un's cyber-squads, who were targeting folks investigating North Korea's abuses and operations.

Adobe acknowledged its software was still a security shit show shortly afterwards, and promised a patch this week.

Now that update has landed – and it contains a fix for not just one programming blunder but two, thanks to researchers at Qihoo 360 Vulcan Team. The Qihoo crew found a remote-code execution hole in Flash that is addressed with this update. Both bugs are rated critical for all supported OSes except the Linux build of Adobe Flash Player Desktop Runtime.

Essentially, patch your Flash installation now to stop scumbags exploiting two newly discovered bugs, one of which is being used by the North Koreans and the other was found by Qihoo's infosec boffins. Opening a webpage or other document with a malicious Flash file embedded on a vulnerable computer is enough to trigger a malware infection.

"These updates address critical vulnerabilities that could lead to remote code execution, and Adobe recommends users update their product installations to the latest versions," the Photoshop giant said today.

The Nork-exploited remote-code execution bug is CVE-2018-4878, and the Vulcan Team found CVE-2018-4877.

So, get updating, or better still, just dump the plugin. The Flash suite is over 20 years old, and is due for retirement at 2020 at the latest. HTML5 or bust, baby. ®

Sign up to our NewsletterGet IT in your inbox daily

25 Comments

More from The Register

Hope you're over that New Year's hangover – there's an Adobe PDF app patch to install

Pair of critical flaws cleaned up in Acrobat, Reader

Adobe chatting up Marketo – reports

Fancies slipping automated marketing software biz into its portfolio

Adobe on internal systems security hole: Panic not. It isn't critical

Researcher: Well, I think you'll find....

Haven't updated your Adobe PDF software lately? Here's 85 new reasons to do it now

Acrobat, Reader get patched up against dozens of new holes

Adobe Flash zero-day exploit... leveraging ActiveX… embedded in Office Doc... BINGO!

It's like a greatest hits album of terrible security policies

Did you hear? There's a critical security hole that lets web pages hijack computers. Of course it's Adobe Flash's fault

The internet's screen door strikes again – so get patching

Adobe forks out $4.75bn for Marketo in massive marketing mashup move

Deal puts pressure on competitors

Adobe acquires Magento to go B2B2C and beyond

Experience Cloud to add commerce and content management facilities

Premiere Pro bug ate my videos! Bloke sues Adobe after greedy 'clean cache' wipes files

Videographer stung after app nukes '$250k' of footage

On the edge of its seats: Cloud rains down even more cash on Adobe

You'll eat our subs model... and our bottom line will expand. See how this works?