Skip to content
Flash
Naked Security Naked Security

Adobe warns of Flash zero-day, patch to come next week

Adobe has announced that a zero-day Flash exploit has turned up in the wild - a patch should be ready early next week.
Written by
February 02, 2018
Naked Security Adobe Exploit Flash Zero-day

It’s like 1998 all over again!
OK, perhaps it would be fairer to say that it’s like 2008 all over again…
…there’s a zero-day security hole in Adobe Flash.
In APSA18-01, Adobe’s first Flash Security Advisory of the year, the company warns:

Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.


To revisit the terminology here:

  • CVE-2018-4878 is a placeholder identifier for a security bug, or vulnerability, in Flash.
  • The word exploit means there exists a working, booby-trapped file that triggers the vulnerability.
  • The use of Office documents as a carrier for the malicious Flash exploit file, plus the use of email to push the malware at your users from outside, means it’s a remote attack.
  • An exploit that can trick your computer into running program code sent in from outside without a warning is called an RCE, short for Remote Code Execution, the most dangerous sort of exploit.
  • The RCE is dubbed a zero-day because the crooks found and used it first, before a patch was ready, so there were zero days during which you could have been patched proactively.

The good news is that Adobe intends to release a patch next week (the week starting 2018-02-05), rather than waiting until the week after next, when its usual Patch Tuesday (2018-02-13) falls.
The bad news, of course, is that the patch won’t be available until next week, so the vulnerability will remain a zero-day until then.

What to do?

  • Uninstall Flash if you don’t need it. The most common “need” we hear for Flash is to watch web videos, but almost all websites will use HTML5 for videos if you don’t have Flash. If you uninstall it, your browser will use its built-in video player instead – so you probably don’t need Flash after all.
  • Try uninstalling Flash anyway unless you are certain you need it. If anything critical stops working, you can always put it back.
  • Grab and install Adobe’s update as soon as you can. If you uninstalled Flash as a precaution, don’t reinstall it until the new version is out.

Note that just turning off Flash in your browser isn’t enough – that prevents Flash files embedded in web pages from rendering inside your browser, but doesn’t remove the Flash playing software from your computer as a whole.
We’re assuming that the crooks chose to embed their booby-trapped Flash file inside an Office document to bypass your browser, where many users have already blocked Flash from playing, or only activate it for specific websites.

About the Author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too.

Follow him on Twitter: @duckblog

Read Similar Articles

7 Comments

Edge (yes I use it when I want an entirely unadulterated, off the shelf, and otherwise unmolested browser) has Flash. I suspect it’s hidden well enough not to have to worry. *famous last words*

Reply

You can turn off the Flash in Edge by clicking into the three-dots menu, then Settings → View advanced settings → Use Adobe Flash Player (default is On.)

Reply

Hello Paul
thanks for the warning
a request: could Sophos provide a detailed and practical/simple guide for twaks like myself for securing macOS high sierra??
settings etc…
that would be most helpful…simple guide…do 1), do 2) etc
you already help mac users but hey….better safe than sorry.
thanks again Paul
kind regards
zeke

Reply

1. Check macOS itelf.
Is Adobe Flash (from Adobe itself) installed? Check by going into Apple Menu → System Preferences... and looking for a Flash Player icon.
If it’s there, use Finder to go to Applications → Utilities and run the app Adobe Flash Player Installer Manager to remove it.
2. Check Safari.
Is the built-in Adobe Flash activated? Go to Safari → Preferences... → General and look for the Plug-ins section in the left-hand scrolling list.
Untick the Adobe Flash Player box to turn it off.
HtH.

Reply

Thanks for the recommendations&help Paul but I meant a general guide to hardening security in macOS High Sierra, a security guide with simple recommendations for the whole system.
Again, thank you.
Kind regards
zeke

Reply

I play just one game – Farmville 2 which unfortunately needs Flash to run. Is there any way I can protect myself until the update is available without not playing the game – I spend a lot of time stuck in bed so it is my one form of just total escape as don’t watch TV and normally just listen to audiobooks or try and study some courses when up to it and surf FB
Thanks for all the information you share with us I read everything, if not been on FB for a bit I go to your page to catch up on your posts and have learnt so much and pass on to friends and family – they see me as the tech nerd of the family.

Reply

Most broswers have a click-to play mode for Flash that requires you choose at run-time whether a web page can use Flash.
Firefox, for example, makes it easy to turn Flash off (as though it weren’t installed in your browser at all) via the Tools → Add-ons menu. So you can leave Flash off until you know you’re about to need it, then enable it when you need it and turn if off afterwards.
Firefox calls these options Never Activate (tell websites it isn’t there), Ask to Activate (also known as click-to-play) and Always Activate (party like it’s 1999).

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!