New Zero-Day Vulnerability Found In Adobe Flash Player

GBHackers On Cyber Security and an anonymous Slashdot reader have shared a story about a new zero-day vulnerability found in Adobe's Flash Player. Bleeping Computer reports: South Korean authorities have issued a warning regarding a brand new Flash zero-day deployed in the wild. According to a security alert issued by the South Korean Computer Emergency Response Team (KR-CERT), the zero-day affects Flash Player installs 28.0.0.137 and earlier. Flash 28.0.0.137 is the current Flash version number.

"An attacker can persuade users to open Microsoft Office documents, web pages, spam e-mails, etc. that contain Flash files that distribute the malicious [Flash] code," KR-CERT said. The malicious code is believed to be a Flash SWF file embedded in MS Word documents. Simon Choi, a security researcher with Hauri Inc., a South Korean security firm, says the zero-day has been made and deployed by North Korean threat actors and used since mid-November 2017. Choi says attackers are trying to infect South Koreans researching North Korea. Adobe said it plans to patch this zero-day on Monday, February 5.

Again...

[JaredOfEuropa]

I treat Flash itself as potential malware, and consider it to be compromised at all times. Thankfully, these days you hardly ever need it anymore.

Re:

[Anonymous Coward]

I treat Flash itself as potential malware, and consider it to be compromised at all times. Thankfully, these days you hardly ever need it anymore.

Too bad it's embedded in every Windows since 8 ;)

Re:

[ChunderDownunder]

IIRC, non-MS programs can't see the system copy, i.e. Firefox. Google Chrome sandboxes its own installation.

Re:

[Oswald McWeany]

I hate things like Flash, and Shockwave, and some of those other obsolete technologies that some sites desperately hang on to. I won't use sites that require them.

Fun fact: "Flash" in the Victorian era was slang for "criminal or nefarious". I think "Flash" was a very appropriate name from Adobe.

Re:

[TechyImmigrant]

>I treat Flash itself as potential malware

Why? He was the savior of the universe.

Re:

[ayesnymous]

VMware vCenter requires Flash for full functionality (their HTML5 web client is limited), so our production systems require very old versions of Firefox and Java in order to support Flash.

There are _still_ people using Flash Player?

[gweihir]

Talk about having a death-wish...

Re:There are _still_ people using Flash Player?

[jonwil]

There are still streaming video sites out there that need Flash.
Including the iView catch-up TV site for the Australian ABC (national government-run broadcaster) which refuses to work without Flash on my Windows 7 PC using any of the browsers I have (including Internet Exploder and Mozilla SeaMonkey)

That said, I do not have the ActiveX version of Flash installed (which is what this exploit is targeting) and I have Flash set in SeaMonkey so it will ask me before activating any Flash content (meaning I can white list those sites that need Flash). So I should be safe from Flash exploits unless someone hacks the iView site to serve out bogus Flash files I should be safe from Flash related nasties :)

Re:

[AmiMoJo]

Holy crap you are right! Their web site doesn't work on about 70% of due to lack of Flash support!

Flash is blocked in Chrome now, except for a whitelist of sites which iView is not part of. It doesn't work on any of the major mobile browsers either.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Doctor Memory]

The last time I used vSphere, the HTML5 client wasn't anywhere near to parity with the Flash version, and I didn't get the impression that VMware was making it a priority to bring it up to snuff. This was a couple of years ago, sounds like they haven't done much since then either.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Eravnrekaree]

Does Seamonkey sandbox Flash like Chrome does (like Chrome even sandboxes its own content). You think you are being secure but the fact is I bet using seamonkey or palemoon you are actually much worse off than you are with Chrome.

Re:

[gweihir]

Well, true. But why are people using them? If these sites would see a massive drop-off in views, the Flash-problem would be solved pretty fast.

vSphere still uses it for some stuff

[Joe_Dragon]

vSphere still uses it for some stuff

Re:

[Zontar_Thing_From_Ve]

Yes. I'm a Starbucks shareholder and this week I got email telling me where to get my electronic copy of their annual report. I like to glance at the annual reports for any stocks I own and read shareholder proposals. I rarely vote to approve those but there have been a few really good ones that I voted for. Imagine my surprise to find that the Starbucks annual report was only available in Flash, not PDF.

Is this really a problem?

[Anonymous Coward]

Who the fuck still uses flash or has it installed these days?

Re:

[Opportunist]

Every MS-Office User. Whether you like it or not.

Re:

[DontBeAMoran]

Good thing I stay away from the office packages from the big corporations and use Apple iWork instead!

Re:

[Opportunist]

Irony or ...?

Re:

[DontBeAMoran]

Sarcasm.

Re:

[Anonymous Coward]

VMWARE administrator ( crying :'( ) . I am going to install HTML interface soon, but some plugins are not compatible.

Re: Is this really a problem?

[Anonymous Coward]

Same here. And I have about a dozen Enterprise management tools which rely on Flash to some extent.

Re:

[Anonymous Coward]

If you have vCenter 6.x installed you should be able to already access it via https://vcenterhost/ui [vcenterhost]

It's nice, but not yet completely in parity with the flash version, and yeah many plugins don't work.

Re:

[Hal_Porter]

" And because Adobe programmers were very sinful God revealed a zero day on a Friday and did say 'Only 5 days from public disclosure to a patch... Wouldn't wanna force y'all to work weekends, fucking jokers'. An lo! Adobe engineers trying to sneak out of work at 4:50pm were caught by God in his 'Lumbergh' form and asked to work at the weekend "

Re:

[rjune]

They are getting better. I posted on February 20, 2009 that it took Adobe 18 days to release a patch for a critical flaw. I think this URL will get you to the discussion: https://slashdot.org/comments.... [slashdot.org]

With regard to Adobe and security flaws, check out this URL: https://en.wikipedia.org/wiki/... [wikipedia.org]

OMFG

[NoNonAlphaCharsHere]

A Flash SWF file embedded in a MS Word file. What could possibly go wrong?

Re:

[AmiMoJo]

Better replace it with an ActiveX control ASAP.

Re:

[NoNonAlphaCharsHere]

On further reflection, I'm thinking that the fopen() would probably cause an explosion that would make matter/antimatter look like Alka-Seltzer.

The problem.

[Anonymous Coward]

The problem is that in China, nearly every video website used Flash-based video players.Also, some major e-banking websites require Flash.
I do not know the exact reason, but someone said that Flash-based "web apps" are easier to make and Flash is easier to implement DRM (you know those ____ing sites that do not want you to download those videos by any means unless you sign up and pay)

Re:

[jbmartin6]

A lot of cloud based security camera systems have the same problem.

Qui Bono?

[mentil]

Ya know, I'm wondering what the benefit of NK hackers using ransomware, or stealing cryptocurrency is. Ok they manage to transfer it to a bank in Switzerland or South Korea or whatever... now what? They can't transfer it to a NK bank because of the sanctions (not like numbers in a NK database help them). They can't buy a truckload of food and drive it over to NK because of sanctions/blockades. They can't rent a DC10 and airdrop food into NK because of DMZ/no-fly-zone/sanctions. I was wondering why the hacke

Re:

[gtall]

Do the words "prevailing wind patterns" and "fallout" ever occur in your brain simultaneously?

Re:

[Opportunist]

Run away? Heck, why? They have a very well paying job (not just for NKor levels) and when they're home, they are basically above any and all laws as long as they don't piss off anyone higher up in the hierarchy.

Imagine you, as a US citizen, could have all the hookers and blow you want, could treat everyone but politicians like garbage up to the point of pretty much getting away with murder if you so please and everyone has to do your bidding OR ELSE, because you're simply more valuable than anyone else in t

Re:

[gbjbaanb]

a regime like that... damn right I'd want to get out.

But then I'm a grown up adult with a sense of responsibility to the wider world and humanity. This is also why I'm dead set against the "liberals" with their sights set on their totalitarian fascist desire to tell everyone else what to do while profiting from it.

Re:

[jrumney]

There is no DMZ or no-fly zone between China and North Korea or Russia and North Korea. Driving a truck across those borders without being stopped for 'sanctions reasons' probably doesn't cost much in bribes either.

Re: To anyone still using Flash in 2018 ...

[junk]

You'd be sadly amazed by the number of companies that think flash is an acceptable avenue for building interactive web properties. I frequently see it with online classes. Think school lessons, driver's education after s ticket, HR training, "security" tutorials, etc. It's sad but there are so many "developers" that adopted it a long time ago that just aren't picking up HTML5.

What's Flash?

[pikester]

Steve Jobs declared the end of Flash in 2007. 10 years later (or 11 if your round really up), it has been true for a couple of years. I'm still surprised that I see Flash video from a local major content supplier. I'm not the guy to fix it, but I'll be happy to enlighten people (let's talk in fact).

Did BeauHD slip? This isn't RUSSIA'S!!!! fault?!?

[Anonymous Coward]

I'm surprised BeauHD didn't find a way to pin the very existence of Flash on RUSSIA! RUSSIA! RUSSIA!

Oh, yeah, this is The Onion's take on the Nunes memo:

FBI Warns Republican Memo Could Undermine Faith In Massive, Unaccountable Government Secret Agencies [theonion.com]

WASHINGTON—Stressing that such an action would be highly reckless, FBI Director Christopher Wray warned Thursday that releasing the “Nunes Memo” could potentially undermine faith in the massive, unaccountable government secret agencies of the United States. “Making this memo public will almost certainly impede our ability to conduct clandestine activities operating outside any legal or judicial system on an international scale,” said Wray, noting that it was essential that mutual trust exist between the American people and the vast, mysterious cabal given free rein to use any tactics necessary to conduct surveillance on U.S. citizens or subvert religious and political groups. “If we take away the people’s faith in this shadowy monolith exempt from any consequences, all that’s left is an extensive network of rogue, unelected intelligence officers carrying out extrajudicial missions for a variety of subjective, and occasionally personal, reasons.” At press time, Wray confirmed the massive, unaccountable government secret agencies were unaware of any wrongdoing for violating constitutional rights.

Re:

[zwarte piet]

Loads of fun?

Who the hell is selling them computers?

[sabbede]

And how are they getting online? Hardline across their Northern border? Since China is so "great" at controlling internet traffic, how about we get them to help keep the DPRK's activities in check?

There aren't a whole lot of addresses for the DPRK, they can't have that many computers or people with the skills to do this. Is there nothing we can do to monitor and control their access and activity?

Re:

[Picodon]

Russia also is an active economic and diplomatic partner of North Korea. And that includes Internet connectivity [reuters.com].

South Korea Computer Emergency Response Team

[140Mandak262Jamuna]

South Korea embraced the internet and jumped in early. So early it forced all the banks and other agencies to use some Active X based protocol. Not sure if the country has recovered completely from that fiasco.

Re:

[jrumney]

The government didn't force banks to use ActiveX. It forced them to use South Korea's homegrown encryption algorithms. For a long time an ActiveX control was the only off the shelf way to deploy those algorithms. They have since been added to TLS [ietf.org] and are natively supported by all major browsers by now.

There's a shocker

[DaMattster]

Flash has been riddled with security holes since it came into use. Since it is not based on any kind of standards whatsoever, no one can really review it for compliance. It's been a broken technology since its inception.

Please die already Flash

[sn0wflake]

This news angered me so much that I tried seeking out removing Flash, and I was astonished at how hard it was, technically and what I'd have to give up. First surprise was Windows 10. I honestly thought Flash was just a component that could be uninstalled. How wrong I was. Turned out I would have to change ownership of system-reserved files. Cumbersome and not a pretty solution, so I postponed that project. Next I checked Google Chrome 64. Again I assumed it would just be a simple option of disabling Flash.

Only at work

[AbrasiveCat]

I removed Flash from my home computers some time ago. Now I only have access at work where it is a required application. (Boneheads.)

Refreshing...

[rnturn]

While Meltdown and company are getting all the attention lately, it's sort of nice to hear about something new from the folks that gave us so many classics.

Flash included with Windows 10

[h4ck7h3p14n37]

I recently purchased a cheap laptop running Windows 10 to manage an ESXi server. The voice directed setup was great, but I was shocked to see Flash installed by default. What was Microsoft thinking?

Yawn

[bi$hop]

I uninstalled Flash and stopped using Microsoft Office years ago. Haven't missed them at all.

Breaking news! New Flash vulnerability!

[Mike Van Pelt]

In other astonishing news, the sun came up this morning, water is wet, and it's dang cold in Point Barrow in February.

Re:

[Mike Van Pelt]

(but the sun didn't come up in Point Barrow, Alaska.)

Why are people trusting applications?

[ka9dgx]

Why does anyone trust any application to do what it claims it will do on the tin? Isn't it the job of the Operating System to allocate and determine access to system resources, as specified by the user? We need better OSs.