Microsoft updated Windows to address a Zero Day in Adobe Flash Player.
The Zero Day could allow an attacker to compromise an unpatched host and deploy additional payloads or take control of the system.
The patch is available for all supported versions of Windows, except for Windows 7. Microsoft officials are recommending users to install the fix as soon as possible. Patching the issue could eliminate problems over the long haul as attackers will start to leverage the hole sooner than later.
The vulnerability exists in versions of Adobe Flash Player older than 22.214.171.124, and it can allow arbitrary code execution. It can be exploited with Office documents that include Flash content and spreading either via compromised websites or through emails.
The flaw has already been used by North Korea in attacks focused on South Korea, said officials at the South Korean Computer Emergency Response Team. Korean security expert Simon Choi said this vulnerability had been used since at least mid-November 2017, and the preferred targets were South Korean researchers working on projects related to North Korea.
Adobe said it was aware of exploits aimed at this vulnerability and recommended customers to update to the latest version of Flash Player as soon as possible.
“Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email,” Adobe said.
Since Flash Player is directly integrated into the latest versions of Internet Explorer and Microsoft Edge, the Redmond-based software giant has to manually release patches provided by Adobe to its users. These are published on Windows Update and pushed to Windows computers automatically.