Security

Adobe: Two critical Flash security bugs fixed for the price of one

Emergency patch lands, shuts pair of remote exploitable holes, one used by Norks

By Iain Thomson in San Francisco

25 SHARE

Adobe has issued an emergency security patch for two bugs in its Flash player – after North Korea's hackers were spotted exploiting one of the flaws to spy on people investigating the creepy hermit nation.

At the start of the month, South Korea's Computer Emergency Response Team put the world on alert after it found miscreants abusing Flash to take control of and surveil Windows PCs in its country via Office documents carrying embedded malicious SWF files. Subsequent analysis showed the hacking was being done by Group 123, one of Kim Jong-un's cyber-squads, who were targeting folks investigating North Korea's abuses and operations.

Adobe acknowledged its software was still a security shit show shortly afterwards, and promised a patch this week.

Now that update has landed – and it contains a fix for not just one programming blunder but two, thanks to researchers at Qihoo 360 Vulcan Team. The Qihoo crew found a remote-code execution hole in Flash that is addressed with this update. Both bugs are rated critical for all supported OSes except the Linux build of Adobe Flash Player Desktop Runtime.

Essentially, patch your Flash installation now to stop scumbags exploiting two newly discovered bugs, one of which is being used by the North Koreans and the other was found by Qihoo's infosec boffins. Opening a webpage or other document with a malicious Flash file embedded on a vulnerable computer is enough to trigger a malware infection.

"These updates address critical vulnerabilities that could lead to remote code execution, and Adobe recommends users update their product installations to the latest versions," the Photoshop giant said today.

The Nork-exploited remote-code execution bug is CVE-2018-4878, and the Vulcan Team found CVE-2018-4877.

So, get updating, or better still, just dump the plugin. The Flash suite is over 20 years old, and is due for retirement at 2020 at the latest. HTML5 or bust, baby. ®

Sign up to our NewsletterGet IT in your inbox daily

25 Comments

More from The Register

Adobe chatting up Marketo – reports

Fancies slipping automated marketing software biz into its portfolio

Adobe on internal systems security hole: Panic not. It isn't critical

Researcher: Well, I think you'll find....

Haven't updated your Adobe PDF software lately? Here's 85 new reasons to do it now

Acrobat, Reader get patched up against dozens of new holes

Adobe forks out $4.75bn for Marketo in massive marketing mashup move

Deal puts pressure on competitors

Adobe acquires Magento to go B2B2C and beyond

Experience Cloud to add commerce and content management facilities

On the edge of its seats: Cloud rains down even more cash on Adobe

You'll eat our subs model... and our bottom line will expand. See how this works?

Exploit kit development has gone to sh$t... ever since Adobe Flash was kicked to the curb

Coinkidink? Nah. Crooks are switching tactics

Dolby sues Adobe for dodging license fees

Updated Copyright case puts royalty model under the microscope

Sen. Ron Wyden: Adobe Flash is doomed, why is Uncle Sam still using it?

Techno-dem urges DHS, NSA and NIST to rid sites of buggy legacy media player content

How many ways can a PDF mess up your PC? 47 in this Adobe update alone

Tons of critical fixes for Reader, Acrobat and Photoshop