It’s like 1998 all over again!
OK, perhaps it would be fairer to say that it’s like 2008 all over again…
…there’s a zero-day security hole in Adobe Flash.
In APSA18-01, Adobe’s first Flash Security Advisory of the year, the company warns:
Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.
To revisit the terminology here:
- CVE-2018-4878 is a placeholder identifier for a security bug, or vulnerability, in Flash.
- The word exploit means there exists a working, booby-trapped file that triggers the vulnerability.
- The use of Office documents as a carrier for the malicious Flash exploit file, plus the use of email to push the malware at your users from outside, means it’s a remote attack.
- An exploit that can trick your computer into running program code sent in from outside without a warning is called an RCE, short for Remote Code Execution, the most dangerous sort of exploit.
- The RCE is dubbed a zero-day because the crooks found and used it first, before a patch was ready, so there were zero days during which you could have been patched proactively.
The good news is that Adobe intends to release a patch next week (the week starting 2018-02-05), rather than waiting until the week after next, when its usual Patch Tuesday (2018-02-13) falls.
The bad news, of course, is that the patch won’t be available until next week, so the vulnerability will remain a zero-day until then.
What to do?
- Uninstall Flash if you don’t need it. The most common “need” we hear for Flash is to watch web videos, but almost all websites will use HTML5 for videos if you don’t have Flash. If you uninstall it, your browser will use its built-in video player instead – so you probably don’t need Flash after all.
- Try uninstalling Flash anyway unless you are certain you need it. If anything critical stops working, you can always put it back.
- Grab and install Adobe’s update as soon as you can. If you uninstalled Flash as a precaution, don’t reinstall it until the new version is out.
Note that just turning off Flash in your browser isn’t enough – that prevents Flash files embedded in web pages from rendering inside your browser, but doesn’t remove the Flash playing software from your computer as a whole.
We’re assuming that the crooks chose to embed their booby-trapped Flash file inside an Office document to bypass your browser, where many users have already blocked Flash from playing, or only activate it for specific websites.