Skip to main content

(Unpatched) Adobe Flash Player Zero-Day Exploit Spotted in the Wild


Another reason to uninstall Adobe Flash Player—a new zero-day Flash Player exploit has reportedly been spotted in the wild by North Korean hackers.

South Korea's Computer Emergency Response Team (KR-CERT) issued an alert Wednesday for a new Flash Player zero-day vulnerability that's being actively exploited in the wild by North Korean hackers to target Windows users in South Korea.

Simon Choi of South Korea-based cybersecurity firm Hauri first reported the campaign on Twitter, saying the North Korean hackers have been using the Flash zero-day against South Koreans since mid-November 2017.

Although Choi did not share any malware sample or details about the vulnerability, the researcher said the attacks using the new Flash zero-day is aimed at South Korean individuals who focus on researching North Korea.

Adobe also released an advisory on Wednesday, which said the zero-day is exploiting a critical 'use-after-free' vulnerability (CVE-2018-4878) in its Flash media software that leads to remote code execution


The critical vulnerability affects Adobe Flash Player version 28.0.0.137 and earlier versions for:
  • Desktop Runtime (Win/Mac/Linux)
  • Google Chrome (Win/Mac/Linux/Chrome OS)
  • Microsoft Edge and Internet Explorer 11 (Win 10 & 8.1)

"Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users," the advisory said. "These attacks leverage Office documents with embedded malicious Flash content distributed via email. Adobe will address this vulnerability in a release planned for the week of February 5."

To exploit the vulnerability, all an attacker need to do is trick victims into opening Microsoft Office documents, web pages, or spam messages that contain a maliciously crafted Adobe Flash file.

The vulnerability can be leveraged by hackers to take control of an affected computer.

Choi also posted a screenshot to show that the Flash Player zero-day exploit has been delivered via malicious Microsoft Excel files.

Adobe said in its advisory that the company has planned to address this vulnerability in a "release planned for the week of February 5," through KR-CERT advises users to disable or completely remove the buggy software.

YOU MAY ALSO LIKE :-

Labels:
Location: United States

Comments

Post a Comment

Popular posts from this blog

Chrome Web Browser Will Now Use 10% More RAM With Spectre Fix

A new security feature named ‘Site Isolation’ has been introduced for Google Chrome 67 which would nullify the effects of speculative execution side-channel attacks like Spectre. To put things to the perspective, Spectre is one of the two fundamental design flaws in the  modern processors, which allow programs to get access to the data for which it is not authorized. Malicious data can exploit this flaw to steal your password and other personal information. What is Site Isolation? The new Site Isolation feature introduced in Google Chrome 67 brings about a fundamental change to Chrome’s architecture. Now, Chrome has changed how its multi-process architecture worked and different tabs used different render processes. According to the new architecture, Chrome limits each renderer process to a single site. By this separation of processes, Google aims to prevent direct memory reading across different processes to safeguard users’ data. According to G...
Post a Comment
Read more

Amazon, Reddit And Others Fail To Warn Us About Dumb Passwords

B elieve it or not, there is still a large number of people who use passwords such as “password,” “password123”, “[dog’s name]1” and others along the same lines. And in the era of sophisticated hacking, these passwords are not exactly “safe.” Before me, this is the first thing websites should inform you while setting up a password. But apparently, many big names are not doing enough to encourage non-terrible passwords, according to  the new research . Steve Furnell from the University of Plymouth has been keeping tabs on the websites like Amazon, Reddit, and Wikipedia for many years, carrying out similar assessments in 2007, 2011 and 2014. His 2018 survey examined practices of Google, Facebook, Wikipedia, Reddit, Yahoo, Amazon, Twitter, Instagram, Microsoft Live, and Netflix. The study concluded that Amazon had the worst performance among all the names. It nearly accepted every kind of password of any length. On the other hand, Yahoo and Wikip...
Post a Comment
Read more

Is Microsoft Working On A New “Next-generation OS”? Should I Really Get Excited?

I n an announcement that’ll surely spark the interest of Windows enthusiasts, Synaptics hinted at a new “next-generation” operating system from Microsoft. This announcement took place during a conference, where Synaptics and AMD shared their plans to work together to secure the operating systems with a new kind of fingerprint sensor. Here’s what the press release from Synaptics actually said: Further, the new “biometric security OS” gets a mention again along with Windows Hello. The partnership with AMD will reportedly let Synaptics use FS7600 Match-in-Sensor technology, which is completely isolated from the rest of the system and operating system for extra security. It goes without saying that you need to take this news with an extra pinch of salt than the regular rumors that keep making rounds. The next-gen OS from Microsoft could be merely the next significant Windows 10 upgrade. In case you’re a person who loves to think more positively, ...
Post a Comment
Read more