Stop me if you’ve heard this before, but hackers found a way to attack you via Adobe’s Flash Player, a content platform that just refuses to die.
The new vulnerability is of the zero-day variety, which means all Flash versions are affected, including the latest releases for Linux, Mac, and Windows. The best way to protect yourself against it would be to uninstall it from your machine for the time being. Also, you might want to consider keeping it uninstalled even after Adobe releases a patch for it.
Adobe already released a security advisory (APSA18-01) that describes the CVE-2018-4878 flaw and confirms that all Flash Players up to v22.214.171.124 are affected. Adobe plans to patch the issue in an update expected to be released during the week of February 5th.
The issue affects Adobe Flash Player Desktop Runtime on Linux, Mac, and Windows, as well as Flash Player for Google Chrome and Microsoft Edge.
But there’s even worse news: Adobe confirmed that hackers are already exploiting the vulnerability. “Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users,” Adobe’s note says. “These attacks leverage Office documents with embedded malicious Flash content distributed via email.”
Adobe advises users to enable Protected View so they open documents in read-only mode, and a post on GHacks explains how to do it.
Again, the best way to stay protected right now is to uninstall Flash until a fix becomes available next week.