June 7, 2018 – Security Firm Qihoo 360 identified a brand new zero-day flaw in Adobe Flash that could leave users vulnerable to executing malicious software without permission.
Attackers have been able to gain access to victim’s devices by sending emails that contain exploited Flash content that has been disguised as a Microsoft Office document. Victims download the document not realizing that it contains a malicious SWF file that’s connected to a remote server. At this time attackers appear to be only targeting organizations located in the Middle East.
Tracking the flaw – (CVE-2018-5002 ) – Adobe has issued an advisory summarizing and providing patches for the vulnerability across all OS for Adobe Flash Desktop Runtime and Chrome/Edge/IE browser plugins. The versions of Flash that are vulnerable to this zero-day are versions 22.214.171.124 and earlier. Adobe has recently released a new flash update (version 126.96.36.199) that patches the vulnerability.
The Proficio Threat Intelligence Recommendations:
- Immediately ensure that Adobe Flash is updated to the latest version.
- Require permission each and every time Flash content attempts to run.
General Info – Click Here