If you’re among the holdouts still running Flash, you have some more updating homework to do. Adobe has issued an out-of-band patch after researchers spotted a Flash zero-day flaw being exploited in the wild.
The discovery was made by Qihoo 360 which on 29 November noticed a targeted APT (Advanced Persistent Threat) attack against a healthcare clinic used by Russian Government officials.
Codenamed “Operation Poison Needles” by Qihoo in honour of its medical theme, the attack uses a Word document mocked up to look like a job application questionnaire embedding a Flash Active X control.
Anyone on the receiving end of the attack will receive a phishing email with an attached RAR archive containing the boobytrapped document executing the payload.
The fix
The vulnerability, a use after free flaw, is now identified as CVE-2018-15982 and affects all Flash versions up to and including 31.0.0.153. Patching it on Windows, macOS and Linux, and ChromeOS requires downloading 32.0.0.101.
For good measure, the patch applies a separate fix for CVE-2018-15983, a privilege escalation caused by the insecure library loading of DLLs.
It’s worth noting that Qihoo appears to have spotted it by way of their anti-malware clients, hence the confident designation as an APT connected to the conflict between Ukraine and Russia.
Although the death of Flash has been widely reported thanks to industry efforts to deprecate and remove Flash from web browsers, vectors such as Microsoft Office remain able to load and execute Flash content.
Our recommendation: remove it from your operating system before deactivating it in browsers that still give you the choice to allow it (Chrome and Edge).
Presumably (and hopefully), organisations and individuals continuing to use something scheduled to expire forever in 2020 do so for a good reason. But whatever that reason may be, as with previous patches and out-of-band updates, the latest Flash zero-day is a reminder to all to move on and stop living so dangerously.
This is from nakedsecurity.sophos.com
Click link to OG Page: Naked Security – Sophos News