Adobe issued an advisory about another vulnerability in Adobe Flash Player 28.0.0.137 and earlier versions. Adobe warns that “Successful exploitation could potentially allow an attacker to take control of the affected system.”
Adobe expects to issue a patch this week, earlier than the usual Patch Tuesday date (Feb. 13, 2018).
Last week, Sophos’ Naked Security blog included an article that explains some of the terms used in the Adobe alert:
- [The alert is] for a security bug, or vulnerability, in Flash.
- The word exploit means there exists a working, booby-trapped file that triggers the vulnerability.
- The use of Office documents as a carrier for the malicious Flash exploit file, plus the use of email to push the malware at your users from outside, means it’s a remote attack.
- An exploit that can trick your computer into running program code sent in from outside without a warning is called an RCE, short for Remote Code Execution, the most dangerous sort of exploit.
- The RCE is dubbed a zero-day because the crooks found and used it first, before a patch was ready, so there were zero days during which you could have been patched proactively.
From Paul Ducklin’s Adobe warns of Flash zero-day, patch to come next week, Feb. 2, 2018
To protect yourself:
- Uninstall Flash. Most websites use HTML5 to display video in your browser, so Flash is not needed as much as it used to be.
- If you need Flash, uninstall it now if you can, then install Adobe’s update as soon as possible.
- Be very careful about opening unsolicited MS Office documents and be wary about following links in those documents.
If you have any questions, contact your departmental IT professional or contact the IT Support Center.