Microsoft has released Windows update KB4074595 to fix a zero-day flaw in Adobe Flash Player that could allow an attacker to compromise an unpatched host and deploy additional payloads or take control of the system.
The new patch is available for all supported versions of Windows, except for Windows 7, and Microsoft recommends users to install it as soon as possible.
The vulnerability exists in versions of Adobe Flash Player older than 126.96.36.199, and it can allow arbitrary code execution. It can be exploited with Office documents that include Flash content and spreading either via compromised websites or through emails.
According to the South Korean Computer Emergency Response Team, the security flaw has already been used by North Korea in attacks aimed at researchers in South Korea. Korean security expert Simon Choi said in a tweet that this vulnerability had been used since at least mid-November 2017, and the preferred targets were South Korean researchers working on projects related to North Korea.
Adobe aware of attacks
Adobe confirmed in an advisory that it was aware of exploits aimed at this vulnerability and recommended customers to update to the latest version of Flash Player as soon as possible.
“Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email,” Adobe said.
Since Flash Player is directly integrated into the latest versions of Internet Explorer and Microsoft Edge, the Redmond-based software giant has to manually release patches provided by Adobe to its users. These are published on Windows Update and pushed to Windows computers automatically.
Users are obviously recommended to patch systems as soon as possible, especially because attacks have already been spotted out in the wild. Additionally, the patch can be manually downloaded from Microsoft’s Update Catalog for each version of Windows.