Skip to main content

Adobe Flash 0-Day Vulnerability APSA18-01

Adobe released the security advisory APSA18-01 for Flash Player that confirms a critical security vulnerability in Flash Player 28.0.0.137 and earlier.

Flash Player 28.0.0.137 is the most recent version of the program which means that all installed versions of Flash are affected by it.

Affected products:

  • Adobe Flash Player Desktop Runtime on Windows, Linux and Mac platforms.
  • Adobe Flash Player for Google Chrome on Windows, Mac, Linux and Chrome OS platforms.
  • Adobe Flash Player for Microsoft Edge and Internet Explorer 11 on Windows 8.1 and 10.

Adobe plans to release an update for Flash Player in the coming week that patches the security issues. The company confirmed in the advisory that the vulnerability is exploited in the wild, and that it is aware of attacks against Windows users that use Office documents with embedded Flash content that is malicious and distributed via email.

Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.

Adobe suggests that administrators enable Protected View to open documents in read-only mode. This is done with a click on File > Options, and the enabling of Protected View options under Trust > Trust Center Settings > Protected View.

protected view

This mitigates the current attack type but it may not protect systems against other attacks that exploit the vulnerability.

It is recommended to uninstall Adobe Flash in the meantime, disable it, or at the very least set it to "click to play".

Günter Born's article on disable the native Adobe Flash implementation offers instructions on how to do that. I don't want to quote the full article, but here are the basics.

Internet Explorer

Windows admins may use the following two Registry files to disable or enable the native Flash implementation on Windows in Microsoft Internet Explorer.

To disable Flash

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
"Compatibility Flags"=dword:00000400

To enable Flash

Windows Registry Editor Version 5.00
; Unblock Flash Player in Windows 8, 8.1, 10
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}]

 

Group Policy

turn off adobe flash

You can deactive Adobe Flash using the Group Policy as well if you administrate PCs with professional editions of Windows:

  1. Tap on the Windows-key, type gpedit.msc and hit the Enter-key. This opens the Group Policy Editor.
  2. Use the hierarchy on the left to go to Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > Add-on Management
  3. Double-click on  "Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects" to open the policy.
  4. Set it to enabled, and click on ok.

Microsoft Edge

The Internet Explorer changes don't affect Microsoft Edge. You can disable Adobe Flash in Microsoft Edge directly or through policies.

Settings

To disable Adobe Flash in Microsoft Edge using the browser's settings, do the following:

  1. Open Microsoft Edge.
  2. Select Menu > Settings.
  3. Scroll down and click on "show advanced settings".
  4. Locate "Use Adobe Flash Player" and flip the preference to off.

Group Policy

edge flash disallow

  1. Tap on the Windows-key, type gpedit.msc and hit the Enter-key. This opens the Group Policy Editor.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Edge.
  3. Double-click on "Allow Adobe Flash".
  4. Set the policy to disabled, and click on ok. (via gHacks)

 

This article was first seen on ComTek's "TekBits" Technology News

HOME