Windows security: Microsoft issues Adobe patch to tackle Flash zero-day

Microsoft is protecting Windows users from a Flash Player flaw exploited by suspected North Korean hackers.
Written by Liam Tung, Contributing Writer

Video: Job-offer malware linked to North Korea chases bitcoin boom

Microsoft has released Adobe's patch for a critical flaw in Flash Player that suspected North Korean hackers have exploited in malicious Excel sheets.

Researchers at Cisco Talos said hackers known as Group 123 were using the zero-day Flash flaw and Excel sheets to deliver the ROKRAT remote-administration tool.

The use-after-free vulnerability in Flash allowed attackers to gain remote code execution on Windows, macOS, Linux, and Chrome OS, Adobe warned last week after South Korea's CERT said it had observed a Flash exploit for the CVE-2018-4878 being used in the wild.

Adobe said after that it was developing the patch over the coming week, which it released on Tuesday.

Adobe's update shuts down this avenue for gaining remote code execution on Windows, macOS, Linux, and Chrome OS, and bumps up the current version of Flash Player to

Since Microsoft is responsible for updating Flash player in Internet Explorer and Edge, the company notes that its "out-of-band February 6 security release consists of security updates for Adobe Flash".


Cisco Talos researchers have set out the exploit workflow used for the Adobe Flash zero-day.

Image: Cisco Talos

Cisco researchers found Group 123's Excel sheets contained an ActiveX object that was a malicious Flash file that downloaded ROKRAT from a compromised web server.

Download now: Intrusion detection policy

Notably, it was the first time this group has been seen using a zero-day exploit, suggesting the targets were carefully selected and high value.

FireEye, which calls Group 123 TEMP.Reaper, said it had observed the group interacting with their command-and-control infrastructure from North Korean IP addresses. Most of the group's targets were South Korean government, military and defense industry organizations, it said.

Adobe also patched a second use-after-free vulnerability that that could allow for remote code execution.

Flash Player installed with Chrome, Edge and Internet Explorer 11 will be updated to the latest version automatically.

Flash Player, once a favorite target for exploit kits, will reach end-of-life in December 2020 as the industry moves towards HTML5. Microsoft and Google plan to have dropped support for Flash before then.

Previous and related coverage

South Korea identifies Flash 0-day in the wild

Excel spreadsheet, Active X, Adobe Flash -- this exploit is a blast from the past with one of everything.

Hackers race to use Flash exploit before vulnerable systems are patched

APT28 threat group is moving fast in the hope that targets haven't yet installed a recently released patch to fix the recently uncovered exploit

Adobe patches 67 vulnerabilities in Flash, Reader

The round of patches fixes critical issues, many of which lead to remote code execution.

Businesses should update Adobe Flash immediately to avoid this exploit (TechRepublic)

Kaspersky Lab recently identified an Adobe Flash zero day exploit that has already been used in an attack in the wild.

Editorial standards