June 7, 2018

Adobe has released an emergency update to address a critical security hole in its Flash Player browser plugin that is being actively exploited to deploy malicious software. If you’ve got Flash installed — and if you’re using Google Chrome or a recent version of Microsoft Windows you do — it’s time once again to make sure your copy of Flash is either patched, hobbled or removed.

In an advisory published today, Adobe said it is aware of a report that an exploit for the previously unknown Flash flaw — CVE-2018-5002 — exists in the wild, and “is being used in limited, targeted attacks against Windows users. These attacks leverage Microsoft Office documents with embedded malicious Flash Player content distributed via email.”

The vulnerable versions of Flash include v. 29.0.0.171 and earlier. The version of Flash released today brings the program to v. 30.0.0.113 for Windows, Mac, Linux and Chrome OS. Check out this link to detect the presence of Flash in your browser and the version number installed.

Both Internet Explorer/Edge on Windows 10 and Chrome should automatically prompt users to update Flash when newer versions are available. At the moment, however, I can’t see any signs yet that either Microsoft or Google has pushed out new updates to address the Flash flaw. I’ll update this post if that changes. (Update: June 8, 11:01 a.m. ET: Looks like the browser makers are starting to push this out. You may still need to restart your browser for the update to take effect.)

Adobe credits Chinese security firm Qihoo 360 with reporting the zero-day Flash flaw. Qihoo said in a blog post that the exploit was seen being used to target individuals and companies in Doha, Qatar, and is believed to be related to a nation-state backed cyber-espionage campaign that uses booby-trapped Office documents to deploy malware.

In February 2018, Adobe patched another zero-day Flash flaw that was tied to cyber espionage attacks launched by North Korean hackers.

Hopefully, most readers here have taken my longstanding advice to disable or at least hobble Flash, a buggy and insecure component that nonetheless ships by default with Google Chrome and Internet Explorer. More on that approach (as well as slightly less radical solutions) can be found in A Month Without Adobe Flash Player. The short version is that you can probably get by without Flash installed and not miss it at all.

For readers still unwilling to cut the Flash cord, there are half-measures that work almost as well. Fortunately, disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist/blacklist specific sites.

By default, Mozilla Firefox on Windows computers with Flash installed runs Flash in a “protected mode,” which prompts the user to decide if they want to enable the plugin before Flash content runs on a Web site.

Another, perhaps less elegant, alternative to wholesale kicking Flash to the curb is to keeping it installed in a browser that you don’t normally use, and then only using that browser on sites that require Flash.

Administrators have the ability to change Flash Player’s behavior when running on Internet Explorer on Windows 7 and below by prompting the user before playing Flash content. A guide on how to do that is here (PDF). Administrators may also consider implementing Protected View for Office. Protected View opens a file marked as potentially unsafe in Read-only mode.


24 thoughts on “Adobe Patches Zero-Day Flash Flaw

  1. Kevin

    My browser pushed out the update to me immediately Brian, but as always, great info.

  2. JimV

    MS still won’t push it out for awhile (hours, perhaps a day or even more) to Win10 users — a “feature” I absolutely detest about that OS, because it simply will not allow a user to manually update the AX-flavored version from an external drive utilizing the full-version download from Adobe.

    1. Ariel

      FYI. It came to all 3 of the computers over here as soon as they were booted up about 20 minutes ago.

    2. JimV

      Surprise, surprise, surprise! MS is pushing out in record time, so it must really be a nasty piece of work from their standpoint….

  3. Stephen

    Thankfully Chrome has “ask before using” enabled so there’s no need to update (which will be automatic anyways). Interestingly I have NEVER had a prompt pop up in the last few years…thus indicating no need for flash in my browsing. Yay!

  4. Grey Peterson

    Happy to say that I don’t even have Flash installed on my work machine, haven’t had a need, and that my home computer has Flash “hobbled” and set to ask permission to run, and I never let it run unless I was expecting flash content.

  5. Josiah Worcester

    I’m able to confirm that Chrome is currently putting out an update for this. Chrome 67.0.3396.79 (and probably other builds, that’s just the stable build) has Flash 30.0.0.113 in it.

    1. timeless

      I don’t think they have a bad TLS cert. It appears they are including an image over http: from their https: url, which is a bad idea, it’s called mixed-content.

      If you’re actually getting a TLS error, as opposed to a mixed content warning, that could be a sign of an attack between them and you…

  6. Notme

    Now if we could just get Trustwave to stop making us use it on their site……

  7. Chris Pugson

    Adobe Flash automatic update is even less responsive than usual. Flash user security clearly is not a concern for Adobe.

  8. Chris Pugson

    For those with a Windows XP system running on a pre-SSE2 processor, Flash 30 appears to install but something fails with a message box proclaiming ‘Illegal Instruction’. You then discover that the uninstaller also requires a SSE2 compatible processor. A use of System Restore will be required and then remember disconnect from the Internet before restarting Windows XP so that Flash 30 cannot be automatically installed again. Flash 29 and previous can be uninstalled by the expected methods.

  9. Rich Pasco

    Using Firefox, I checked both of my computers at the link provided, and to my surprise they were already at 30.0.0.113 and yet I don’t remember upgrading Flash this week. I wonder how that happened?

    1. JCitizen

      It is supposed to do it automatically, but usually only about 2/3rds of the time – unfortunately.

      Mine was already updated as well.

  10. Old School

    I had kept Flash only because the BBC was using it. On June 7, 2018 Norton Security told me that the Flash Uninstall program had an invalid certificate. I solved the problem by using the Control Panel to remove the two program entries for Flash. Then I went to the video portion of BBC News and ran the One-minute World News video. The video ran correctly so the BBC must have stopped using Flash.
    Right clicking on the video screen would have revealed the video player being used by the BBC but I chose to just remove Flash because the Control Panel indicated that the most current release of Flash was installed. Thus the situation begs the question ( petitio principii ) : What’s happening? Thus putting Flash in the dumpster of history seemed to be the best choice.

    1. JimV

      P.S. If you do use AIR and are happy to let it auto-update by default, you won’t need to do anything further. However, if you would prefer to constrain its auto-update feature to perform that action manually, Adobe doesn’t make it so easy or straightforward.

      Yes, they do provide (if you really look) an AIR file that will install a Settings Manager which is available directly from:

      http://airdownload.adobe.com/air/applications/SettingsManager/SettingsManager.air

      However, there’s a bug embedded in the installation process which involves out-of-date certificates that prevent it from succeeding and presents an error statement that the “installation file is damaged” (with instruction to re-download it, which doesn’t change the outcome). Adobe does provide the following blog entry that offers an explanation and some different workaround methods:

      https://blogs.adobe.com/flashplayer/2017/11/adobe-air-applications-installation-issue.html

      For end users who just want to install the settings manager successfully and disable the auto-update feature, the simplest method is to temporarily change the date on your OS by toggling the year from 2018 to one prior to the expiration of the problem certificate (2014 or 2015 work just fine), install the app, toggle the “disable” button in the box that appears and close it, then reset the date by toggling the year back to 2018. You’re good to go (no reboot required), and shouldn’t have to go through that process again regardless of further updates to the AIR runtime version.

      Adobe has known about this issue the past year, but clearly isn’t too interested in resolving it in ways that might further encourage more users to disable the auto-update feature. I could say more about the company’s institutional mentality, but…

  11. Erik

    Ugh. The browser providers embedding and “managing” flash is such a pain. We’ve gone to lengths to rid ourselves of it, and then then cram it right back down our throats.

  12. John

    I made a conscious effort to just not enable it in a browser. I have managed to work around not having it and if given no choice other then using Flash I just skip it. If you must use Flash I would recommend enabling Site Isolation in Chrome and using it that way. At least Flash get’s even more separated and probably helps secure it a bit more.

  13. JimV

    There’s now an update for Adobe Shockwave that brings it to v12.3.4.204.

  14. Patrick Newton

    The BBC has been inconsistent with flash – there are videos that still use flash, especially sports, but the general trend lately seems to be a move away from it – although it’s hard to tell since even some language-specific news pages still heavily use flash.

Comments are closed.