Another month, another Flash update, right? Wrong – who ever heard of patch Thursday?
It must be bad…
Adobe is aware of a report that an exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash Player content distributed via email.
Unlike the critical vulnerabilities patched in Adobe’s March, April and May updates, CVE-2018-5002 isn’t a remotely exploitable flaw that cybercriminals might decide to exploit in future, it’s one that we only know about because they’re exploiting it now, a so-called zero-day.
You know, like the one in the February Flash update.
According to Qihoo 360 Core Security, one of a number of organisations to have discovered the bug independently of each other, hackers have been seen launching attacks using Microsoft Office documents configured to load Flash files that exploit the vulnerability and use it to execute malware.
The bug exists in all versions of Flash up to 22.214.171.124. You’ll need version 126.96.36.199 for the fix.
The Flash players bundled with Google Chrome, Microsoft Edge, and Internet Explorer 11 for Windows 10 and 8.1, will get it automatically.
According to Adobe, everyone else should update “via the update mechanism within the product” or by getting a freshly minted copy of its player from the Adobe Flash Player Download Center.
Given the pounding regularity of critical updates, and the total lack of surprise that greets the discovery of yet another in-the-wild exploit, die-hard users of Flash probably have the muscle memory for updates dialled in so hard they can do them in their sleep.
I suggest you interrupt your subconscious reflex and don’t update though. I suggest that if you’re still using Flash you remove it entirely, right now, and never look back.
Why? Because whatever you think of it, it’s officially dead in 2020, so you’re going to have to adapt to life without it pretty soon anyway.
You might as well get out of this browser-based game of Russian roulette now and save yourself the last 30 spins of the cylinder.
Source : Naked Security