Skip to main content

Adobe Patches Yet Another Flash Zero-Day

Researchers have discovered yet another zero-day vulnerability in the Adobe Flash Player that has been actively exploited in the Middle East. Shortly after the vulnerability's revelation, Adobe released security updates to its Flash Player for Windows, macOS, Linux, and Chrome OS.

ICEBRG, a network security company, said in a blog post that the vulnerability lets malicious Flash objects to execute code on targeted devices. This allows the attackers to "execute a range of payloads and actions" depending on their intentions. The vulnerability has received the CVE identification of CVE-2018-5002, but it hasn't been listed on the official CVE website or the National Vulnerability Database (NVD).

According to ICEBRG, this zero-day vulnerability has been exploited in the Middle East via Microsoft Office documents that are used to download and execute a Flash exploit on target devices. The company said this approach differs from other Office-delivered Flash exploits in that it "uses a lesser-known feature to remotely include all SWF content from the attacker’s server instead of embedding it directly in the document."

Attackers shifted away from delivering Flash exploits via malicious websites after browser-makers improved their security. Instead, many have opted to use Office documents to infect target devices because the Office suite doesn't feature the same protections. Many people also come across countless Office documents, and unless they've been explicitly told not to, chances are good that they'll download one regardless of its source.

ICEBRG said it notified Adobe of this zero-day vulnerability on June 1; the patches were released on June 7. Of course, Adobe's no stranger to having to quickly respond to zero-day vulnerabilities found in Flash, given that it had to patch a different one earlier this year. (And has reacted to countless others in the years prior.) Just take comfort in knowing that Flash is set to stop being a thing in 2020.

  • Jake Hall
    I can't wait till flash is a thing of the past
    Reply
  • InvalidError
    Adobe should just rename Flash to Flashsploit. Glad I decided to adopt a "screw Flash" policy over a year ago and flushed it. If I stumble upon a site that requires it to be usable, I simply go elsewhere.
    Reply
  • Math Geek
    people still use flash? when did that start back up?
    Reply
  • Ilya__
    Flash has gotten a bit better over the years, went from spot #4 (2016) to #9 (2018) but it's still really bad given that it's not even an OS or anything with a large surface area of attack.

    Source: https://www.cvedetails.com/top-50-products.php
    Reply
  • amk-aka-Phantom
    I haven't used Flash for years until recently, I was forced to install it again. Guess whose fault that was? Cisco Network Academy. Their assessments require it.
    Reply
  • lperreault21
    21039718 said:
    people still use flash? when did that start back up?

    Its bord called 6th graders on there school chromebooks in study hall
    Reply