Adobe released a patch for the zero-day vulnerability that South Korea’s government announced last week.
New Flash Zero-Day
Last week, South Korea’s Internet & Security Agency (KISA) issued an alert about a Flash zero-day vulnerability that attackers were exploiting against the country’s own citizens. Flash hasn’t been much in the news lately because by now most modern browsers are blocking it by default, which means attackers can’t exploit users’ machines directly through Flash-reliant websites anymore.
However, in this case, the attackers were able to continue to exploit a new zero-day vulnerability in Flash primarily by sending email attachments that contained Word documents with embedded Flash code in them. The “use after free” (UAF) vulnerability could allow the attackers to remotely take over the infected systems.
Adobe responded (opens in new tab) at the time by saying that it’s been made aware of the bug and that it believes the bug has only been used in limited and targeted attacks against some Windows users so far. However, the bug also affected macOS and Linux users.
Adobe reminded IT administrators that starting with the previous version of Flash (v27) they could change the Flash Player’s behavior so that it prompts a user before playing SWF content. Additionally, Adobe reminded the IT administrators that they can also lock down Word documents with the Protected View, which puts docs into a read-only mode.
Patch Is Here
As it promised last week, Adobe published a security bulletin (opens in new tab) and a patch that fixes the zero-day vulnerability. The patch is also available through the latest Windows update (opens in new tab), which was released at the same time as Adobe’s own update.
