Sunday, February 4, 2018

Active Adobe Flash Zero-Day Exploit Active


Same old story. Don't Use Flash v28.0.0.137 (or earlier) until Adobe provides an update! The update should be out this coming week. Keep an eye out.

The current known attack vector, CVE-2018-4878, is a malicious Microsoft Excel document containing a malware Flash object which, when opened, triggers the installation of ROKRAT, (Remote Administration Tool), capable of taking over the infected computer. At this time, the infection vector is assumed to have originated in North Korea and is primarily targeting South Korea.

Adobe's Security Advisory:
A critical vulnerability (CVE-2018-4878) exists in Adobe Flash Player and earlier versions. Successful exploitation could potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.

Adobe will address this vulnerability in a release planned for the week of February 5.
More about the exploit from Dan Goodin at Ars Technica:

An Adobe Flash 0day is being actively exploited in the wild
Adobe plans to have a fix for the critical flaw next week.
... While the number of in-the-wild attacks exploiting Flash zerodays has dropped significantly over the past year or two, the risk posed by the Adobe media player remains unacceptably high relative to the benefit it provides most users. And now that word of the vulnerability is circulating, it wouldn't be surprising for other groups to use it against a much wider audience.
[Note that Ars Technica quotes the CVE as "2018-4877" as opposed to 2018-4878. I consider '2018-4877' to be a typo. Sadly, as usual, Dan's article is being quoted verbatim around the Internet along with the wrong CVE number. Stick with CVE-2018-4878, the CVE identified by Adobe. Because of the precautions taken at, it's impossible to identify the differences between these two CVE numbers until after the current zero-day as been patched. Meanwhile, the NIST (National Standards of and Technology) CVE database doesn't yet list either number. Bureaucracy at work. Zzzz.]


Don't use Microsoft Excel
Don't use Adobe Flash