Two High risk Flaws From Adobe Flash and Chrome Extensions

RV_ · December 5, 2018

For Windows 10 users this update is available in Windows updates now.

Flash has an out of cycle update for a serious vulnerability:

Adobe releases out-of-band security update for newly discovered Flash zero-day

Zero-day spotted embedded in malicious Office documents uploaded on VirusTotal.

Excerpt:

"Adobe released patches today for a new zero-day vulnerability discovered in the company's popular Flash Player app. The zero-day has been spotted embedded inside malicious Microsoft Office documents.

These documents were discovered last month after they've been uploaded on VirusTotal, a web-based file scanning service, from a Ukrainian IP address.

According to reports from Gigamon (formerly ICEBRG) and Chinese cyber-security firm Qihoo 360 Core Security, the two companies which spotted the documents, the zero-day was embedded as a Flash Active X object inside a Word document designed to look like a seven-page employment application for a Russian state healthcare clinic.

If victims who received the documents allowed the Flash Active X object to execute, researchers said the malicious code would escalate its access from the Office app to the underlying OS. Here it would drop a JPG file, then unzip another RAR file attached at the end of this JPG file to drop an EXE file on the victim's PC, and then run this file (a basic barebones backdoor trojan). Researchers said this zero-day was capable of running on both 32-bit and 64-bit architectures."

More here in the original article: https://www.zdnet.com/article/adobe-releases-out-of-band-security-update-for-newly-discovered-flash-zero-day/?promo=404&tag=nl.e404.em&ttag=e404&s_cid=e404&ftag=CAD-04-10aag0g&cval=cnet-nl-zd&regId=MjA2NDA1NjI0MTM4ODQzODU4MTc4MDc0NzE1ODEwMzE%3D&bhid=20640562413884385817807471581031

And this: