Security

Adobe: Two critical Flash security bugs fixed for the price of one

Emergency patch lands, shuts pair of remote exploitable holes, one used by Norks

By Iain Thomson in San Francisco

25 SHARE

Adobe has issued an emergency security patch for two bugs in its Flash player – after North Korea's hackers were spotted exploiting one of the flaws to spy on people investigating the creepy hermit nation.

At the start of the month, South Korea's Computer Emergency Response Team put the world on alert after it found miscreants abusing Flash to take control of and surveil Windows PCs in its country via Office documents carrying embedded malicious SWF files. Subsequent analysis showed the hacking was being done by Group 123, one of Kim Jong-un's cyber-squads, who were targeting folks investigating North Korea's abuses and operations.

Adobe acknowledged its software was still a security shit show shortly afterwards, and promised a patch this week.

Now that update has landed – and it contains a fix for not just one programming blunder but two, thanks to researchers at Qihoo 360 Vulcan Team. The Qihoo crew found a remote-code execution hole in Flash that is addressed with this update. Both bugs are rated critical for all supported OSes except the Linux build of Adobe Flash Player Desktop Runtime.

Essentially, patch your Flash installation now to stop scumbags exploiting two newly discovered bugs, one of which is being used by the North Koreans and the other was found by Qihoo's infosec boffins. Opening a webpage or other document with a malicious Flash file embedded on a vulnerable computer is enough to trigger a malware infection.

"These updates address critical vulnerabilities that could lead to remote code execution, and Adobe recommends users update their product installations to the latest versions," the Photoshop giant said today.

The Nork-exploited remote-code execution bug is CVE-2018-4878, and the Vulcan Team found CVE-2018-4877.

So, get updating, or better still, just dump the plugin. The Flash suite is over 20 years old, and is due for retirement at 2020 at the latest. HTML5 or bust, baby. ®

Sign up to our NewsletterGet IT in your inbox daily

25 Comments

More from The Register

Adobe on internal systems bug: It's not critical

Researcher: I think you'll find....

Adobe acquires Magento to go B2B2C and beyond

Experience Cloud to add commerce and content management facilities

Exploit kit development has gone to sh$t... ever since Adobe Flash was kicked to the curb

Coinkidink? Nah. Crooks are switching tactics

Dolby sues Adobe for dodging license fees

Updated Copyright case puts royalty model under the microscope

How many ways can a PDF mess up your PC? 47 in this Adobe update alone

Tons of critical fixes for Reader, Acrobat and Photoshop

Stop us if you've heard this one: Adobe Flash gets emergency patch for zero-day exploit

The internet's screen door gets kicked open once again

Patch or ditch Adobe Flash: Exploit on sale, booby-trapped Office docs spotted in the wild

ThreadKit leverages flaw fixed in February

Intel, Microsoft, Adobe release a swarm of bug fixes to ruin your week

Massive patch dump with 112 fixes... and that's just for the Photoshop giant

Adobe: New Unified Customer Profile will personalise ads as never before

Adobe Summit Cloudy marketing tools get AI powers... what do you mean, bad timing?

Adobe dis-Connect: Corp collab service has been knackered for days

Meetings cancelled as conferencing tool goes dark following weekend maintence