Emergency update: Zero-day attack takes over Adobe Flash

Share this…

Another patch has been released with security updates for Adobe Flash Player for Windows, MacOS, Linux and Chrome OS that works on multiple critical vulnerabilities.

On June 7, Adobe Security Bulletin announced that exploits exist in natural state. Used to target Windows users, the exploit leverages Office documents with embedded flash-player content distributed by e-mail in Adobe Flash Player 29.0.0.171 and earlier versions.

The update fixed several vulnerabilities in Adobe Flash, and Adobe recognizes all those who revealed the various flaws, expressing their gratitude to the people who worked to protect Adobe customers.

“This is a confusion vulnerability, which means that the code does not properly inspect the input data,” said Allan Liska, threat intelligence analyst at Recorded Future. “When successfully exploited, this vulnerability allows remote code execution”.

The second critical Vulnerability (CVE-2018-5002), reported by multiple sources, is a buffer overflow vulnerability that also allows remote code execution. Liska noted that this is currently being exploited in nature as part of several phishing campaigns.

The exploit leverages a Flash file embedded in a Microsoft Office document, Liska said.  “When the victim opens the Office document, the trojaned Flash code is automatically executed”.

According to the International Cyber Security Institute, users who want to be protected must upgrade to the next version of Adobe Flash, Adobe also recommends users to enter their online portal and verify which version of Flash it’s installed on their computers.