Another month, another Flash update, right? Wrong – who ever heard of Patch Thursday?
It must be bad…
Adobe is aware of a report that an exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash Player content distributed via email.
Unlike the critical vulnerabilities patched in Adobe’s March, April and May updates, CVE-2018-5002 isn’t a remotely exploitable flaw that cybercriminals might decide to exploit in future, it’s one that we only know about because they’re exploiting it now, a so-called zero-day.
You know, like the one in the February Flash update.
According to Qihoo 360 Core Security, one of a number of organisations to have discovered the bug independently of each other, hackers have been seen launching attacks using Microsoft Office documents configured to load Flash files that exploit the vulnerability and use it to execute malware.
The bug exists in all versions of Flash up to 29.0.0.171. You’ll need version 30.0.0.113 for the fix.
The Flash players bundled with Google Chrome, Microsoft Edge, and Internet Explorer 11 for Windows 10 and 8.1, will get it automatically.
According to Adobe, everyone else should update “via the update mechanism within the product” or by getting a freshly minted copy of its player from the Adobe Flash Player Download Center.
Given the pounding regularity of critical updates, and the total lack of surprise that greets the discovery of yet another in-the-wild exploit, die-hard users of Flash probably have the muscle memory for updates dialled in so hard they can do them in their sleep.
I suggest you interrupt your subconscious reflex and don’t update though. I suggest that if you’re still using Flash you remove it entirely, right now, and never look back.
Why? Because whatever you think of it, it’s officially dead in 2020, so you’re going to have to adapt to life without it pretty soon anyway.
You might as well get out of this browser-based game of Russian roulette now and save yourself the last 30 spins of the cylinder.
Kasun
Who hell used Flash nowadays? Unless in constrained environment flash should be used which Info Sec 101. This is why aliens don’t visit us.
Anonymous
Aliens don’t visit us because we taste like chicken and they already have enough chickens.
Rob
VMWare admins
Anonymous
Ugh. Brutally true. Upgrade all your VMware to 6.5 as soon as possible.
Nobody_Holme
I “uninstalled” flash several years ago without noticing. When I moved over to windows 10, I never installed it, and it didn’t come preinstalled. I only noticed last week poking around some shady websites when their videos still wouldn’t play after I set noscript to let their scripts run.
Nothing of value was lost? I presume there’s plenty of the type of content the darker end of Reddit loves running in flash, but not much else. Porn, maybe? Crappy Russian YouTube “competitors”? North Korea’s two websites with video content?
I’m stabbing in the dark here…
Paul Ducklin
Edge (and IIRC Google’s Chrome, which I don’t use but have a passing acquaintance with) include their own “curated” builds of Flash, but you can shut the Flash part off entirely. Amusingly, sites that insist on Flash can often be perasuded to use HTML5 by setting your User-Agent string to identify yourself an an iPhone or iPad. They have never supported Flash (and never will), and few mainstream sites want to be invisible to every iOS user in the world… so they quietly serve up non-Flash videos if you give them an unavoidable reason.
Rural central Montana
Bank of America’s ShopSafe single-use credit card numbers requires Flash. I’ve complained to them numerous times. It’s still the best temporary numbers generator, so I need it. Annoying.
Eric
So… does anyone know if Sophos Central AKA Sophos Endpoint or InterceptX adds a layer of protection against this exploit? I’m having trouble tracking down information that says one way or the other.
Paul Ducklin
Sophos blocks the exploit under the following names…
Exp/20185002-A
Troj/SWFExp-OO
…if you would like to check your logs.
Chris
I have Flash set so that you have to give it permission to run. All of the catch-up TV sites seem to want it enabled before they will play.