Become a fan of Slashdot on Facebook


Forgot your password?
Security Privacy Windows

New Zero-Day Vulnerability Found In Adobe Flash Player ( 87

GBHackers On Cyber Security and an anonymous Slashdot reader have shared a story about a new zero-day vulnerability found in Adobe's Flash Player. Bleeping Computer reports: South Korean authorities have issued a warning regarding a brand new Flash zero-day deployed in the wild. According to a security alert issued by the South Korean Computer Emergency Response Team (KR-CERT), the zero-day affects Flash Player installs and earlier. Flash is the current Flash version number.

"An attacker can persuade users to open Microsoft Office documents, web pages, spam e-mails, etc. that contain Flash files that distribute the malicious [Flash] code," KR-CERT said. The malicious code is believed to be a Flash SWF file embedded in MS Word documents. Simon Choi, a security researcher with Hauri Inc., a South Korean security firm, says the zero-day has been made and deployed by North Korean threat actors and used since mid-November 2017. Choi says attackers are trying to infect South Koreans researching North Korea.
Adobe said it plans to patch this zero-day on Monday, February 5.
This discussion has been archived. No new comments can be posted.

New Zero-Day Vulnerability Found In Adobe Flash Player

Comments Filter:
  • Again... (Score:5, Informative)

    by JaredOfEuropa ( 526365 ) on Friday February 02, 2018 @06:04AM (#56053655) Journal
    I treat Flash itself as potential malware, and consider it to be compromised at all times. Thankfully, these days you hardly ever need it anymore.
    • by Anonymous Coward

      I treat Flash itself as potential malware, and consider it to be compromised at all times. Thankfully, these days you hardly ever need it anymore.

      Too bad it's embedded in every Windows since 8 ;)

    • I hate things like Flash, and Shockwave, and some of those other obsolete technologies that some sites desperately hang on to. I won't use sites that require them.

      Fun fact: "Flash" in the Victorian era was slang for "criminal or nefarious". I think "Flash" was a very appropriate name from Adobe.

    • >I treat Flash itself as potential malware

      Why? He was the savior of the universe.

    • VMware vCenter requires Flash for full functionality (their HTML5 web client is limited), so our production systems require very old versions of Firefox and Java in order to support Flash.
  • by gweihir ( 88907 ) on Friday February 02, 2018 @06:07AM (#56053665)

    Talk about having a death-wish...

    • by jonwil ( 467024 ) on Friday February 02, 2018 @07:22AM (#56053871)

      There are still streaming video sites out there that need Flash.
      Including the iView catch-up TV site for the Australian ABC (national government-run broadcaster) which refuses to work without Flash on my Windows 7 PC using any of the browsers I have (including Internet Exploder and Mozilla SeaMonkey)

      That said, I do not have the ActiveX version of Flash installed (which is what this exploit is targeting) and I have Flash set in SeaMonkey so it will ask me before activating any Flash content (meaning I can white list those sites that need Flash). So I should be safe from Flash exploits unless someone hacks the iView site to serve out bogus Flash files I should be safe from Flash related nasties :)

      • by AmiMoJo ( 196126 )

        Holy crap you are right! Their web site doesn't work on about 70% of due to lack of Flash support!

        Flash is blocked in Chrome now, except for a whitelist of sites which iView is not part of. It doesn't work on any of the major mobile browsers either.

      • I love how the VMWare vSphere client recommends using Flash over the HTML5 interface, even for 6.5.

        1. HTML5 based UI should at least be fully implemented by now.
        2. Flash is, and remains to be absolute ass!
        3. The stand-alone vSphere client was perfect, but doesn't support ESXi 6.5 (only 6.0 and below)
        4. How in the fuck can VMWare code ASM and C++ code, but can't get something like HTML5 right, and fallback on Flash.

        The world sucks!

        • The last time I used vSphere, the HTML5 client wasn't anywhere near to parity with the Flash version, and I didn't get the impression that VMware was making it a priority to bring it up to snuff. This was a couple of years ago, sounds like they haven't done much since then either.

          • When it comes to VM infrastructure, we're a pretty conservative shop. Whatever the bleeding edge is, often we're a full version back. v6.5 is mature about now, so when I spoke with someone from VMWare (a BTW question for an unrelated technical issue) how well the HTML5 UI was with v6.5 over 6.0, the response I got was that it's better, but still go with Flash.

            I really wanted Flash killed in fire. No, scratch that; I want it devoured by a black hole never to be seen again with zero chance of ever coming back

      • Does Seamonkey sandbox Flash like Chrome does (like Chrome even sandboxes its own content). You think you are being secure but the fact is I bet using seamonkey or palemoon you are actually much worse off than you are with Chrome.

      • by gweihir ( 88907 )

        Well, true. But why are people using them? If these sites would see a massive drop-off in views, the Flash-problem would be solved pretty fast.

    • vSphere still uses it for some stuff

    • Yes. I'm a Starbucks shareholder and this week I got email telling me where to get my electronic copy of their annual report. I like to glance at the annual reports for any stocks I own and read shareholder proposals. I rarely vote to approve those but there have been a few really good ones that I voted for. Imagine my surprise to find that the Starbucks annual report was only available in Flash, not PDF.
  • by Anonymous Coward

    Who the fuck still uses flash or has it installed these days?

  • OMFG (Score:5, Funny)

    by NoNonAlphaCharsHere ( 2201864 ) on Friday February 02, 2018 @06:17AM (#56053705)
    A Flash SWF file embedded in a MS Word file. What could possibly go wrong?
  • The problem. (Score:4, Informative)

    by Anonymous Coward on Friday February 02, 2018 @06:37AM (#56053743)

    The problem is that in China, nearly every video website used Flash-based video players.Also, some major e-banking websites require Flash.
    I do not know the exact reason, but someone said that Flash-based "web apps" are easier to make and Flash is easier to implement DRM (you know those ____ing sites that do not want you to download those videos by any means unless you sign up and pay)

  • Ya know, I'm wondering what the benefit of NK hackers using ransomware, or stealing cryptocurrency is. Ok they manage to transfer it to a bank in Switzerland or South Korea or whatever... now what? They can't transfer it to a NK bank because of the sanctions (not like numbers in a NK database help them). They can't buy a truckload of food and drive it over to NK because of sanctions/blockades. They can't rent a DC10 and airdrop food into NK because of DMZ/no-fly-zone/sanctions. I was wondering why the hacke

    • by gtall ( 79522 )

      Do the words "prevailing wind patterns" and "fallout" ever occur in your brain simultaneously?

    • Run away? Heck, why? They have a very well paying job (not just for NKor levels) and when they're home, they are basically above any and all laws as long as they don't piss off anyone higher up in the hierarchy.

      Imagine you, as a US citizen, could have all the hookers and blow you want, could treat everyone but politicians like garbage up to the point of pretty much getting away with murder if you so please and everyone has to do your bidding OR ELSE, because you're simply more valuable than anyone else in t

      • a regime like that... damn right I'd want to get out.

        But then I'm a grown up adult with a sense of responsibility to the wider world and humanity. This is also why I'm dead set against the "liberals" with their sights set on their totalitarian fascist desire to tell everyone else what to do while profiting from it.

    • by jrumney ( 197329 )
      There is no DMZ or no-fly zone between China and North Korea or Russia and North Korea. Driving a truck across those borders without being stopped for 'sanctions reasons' probably doesn't cost much in bribes either.
  • Steve Jobs declared the end of Flash in 2007. 10 years later (or 11 if your round really up), it has been true for a couple of years. I'm still surprised that I see Flash video from a local major content supplier. I'm not the guy to fix it, but I'll be happy to enlighten people (let's talk in fact).

  • I'm surprised BeauHD didn't find a way to pin the very existence of Flash on RUSSIA! RUSSIA! RUSSIA!

    Oh, yeah, this is The Onion's take on the Nunes memo:

    FBI Warns Republican Memo Could Undermine Faith In Massive, Unaccountable Government Secret Agencies []

    WASHINGTON—Stressing that such an action would be highly reckless, FBI Director Christopher Wray warned Thursday that releasing the “Nunes Memo” could potentially undermine faith in the massive, unaccountable government secret agencies of the United States. “Making this memo public will almost certainly impede our ability to conduct clandestine activities operating outside any legal or judicial system on an international scale,” said Wray, noting that it was essential that mutual trust exist between the American people and the vast, mysterious cabal given free rein to use any tactics necessary to conduct surveillance on U.S. citizens or subvert religious and political groups. “If we take away the people’s faith in this shadowy monolith exempt from any consequences, all that’s left is an extensive network of rogue, unelected intelligence officers carrying out extrajudicial missions for a variety of subjective, and occasionally personal, reasons.” At press time, Wray confirmed the massive, unaccountable government secret agencies were unaware of any wrongdoing for violating constitutional rights.

  • And how are they getting online? Hardline across their Northern border? Since China is so "great" at controlling internet traffic, how about we get them to help keep the DPRK's activities in check?

    There aren't a whole lot of addresses for the DPRK, they can't have that many computers or people with the skills to do this. Is there nothing we can do to monitor and control their access and activity?

  • South Korea embraced the internet and jumped in early. So early it forced all the banks and other agencies to use some Active X based protocol. Not sure if the country has recovered completely from that fiasco.
    • by jrumney ( 197329 )
      The government didn't force banks to use ActiveX. It forced them to use South Korea's homegrown encryption algorithms. For a long time an ActiveX control was the only off the shelf way to deploy those algorithms. They have since been added to TLS [] and are natively supported by all major browsers by now.
  • Flash has been riddled with security holes since it came into use. Since it is not based on any kind of standards whatsoever, no one can really review it for compliance. It's been a broken technology since its inception.
  • This news angered me so much that I tried seeking out removing Flash, and I was astonished at how hard it was, technically and what I'd have to give up. First surprise was Windows 10. I honestly thought Flash was just a component that could be uninstalled. How wrong I was. Turned out I would have to change ownership of system-reserved files. Cumbersome and not a pretty solution, so I postponed that project. Next I checked Google Chrome 64. Again I assumed it would just be a simple option of disabling Flash.
  • I removed Flash from my home computers some time ago. Now I only have access at work where it is a required application. (Boneheads.)
  • While Meltdown and company are getting all the attention lately, it's sort of nice to hear about something new from the folks that gave us so many classics.

  • I recently purchased a cheap laptop running Windows 10 to manage an ESXi server. The voice directed setup was great, but I was shocked to see Flash installed by default. What was Microsoft thinking?

  • by bi$hop ( 878253 )

    I uninstalled Flash and stopped using Microsoft Office years ago. Haven't missed them at all.

  • In other astonishing news, the sun came up this morning, water is wet, and it's dang cold in Point Barrow in February.

  • Why does anyone trust any application to do what it claims it will do on the tin? Isn't it the job of the Operating System to allocate and determine access to system resources, as specified by the user? We need better OSs.

IBM Advanced Systems Group -- a bunch of mindless jerks, who'll be first against the wall when the revolution comes... -- with regrets to D. Adams