Video: A brief history of Adobe Flash.

Advanced hackers have demonstrated that you really don’t need browsers to exploit Flash Player vulnerabilities on Windows. Office does the job just fine.

Adobe has released an update to address a critical flaw affecting Flash Player that is actively being exploited, otherwise known as a zero-day flaw.

Adobe is urging users to update from Adobe Flash Player 29.0.0.171 to the patched version, 30.0.0.113. It also addresses three other flaws.

An exploit for the flaw, CVE-2018-5002, is stealthily delivered in emailed Excel attachments using a novel technique designed to minimize the risk of detection by antivirus and frustrate forensic analysis.

The flaw was discovered by researchers at security firms Iceberg and Qihoo 360 Core Security, which have provided separate analyses of the techniques.

See: 17 tips for protecting Windows computers and Macs from ransomware (free PDF)

Instead of embedding malicious Flash content directly in the Office document, which might be detected by analyzing its code, the Excel file calls in the Flash exploit from a remote server.

Iceberg notes that the remote inclusion helps evade detection because the document doesn’t contain any malicious code.

Remotely loading the malicious Flash object also allows the attacker to selectively serve exploits to targets based on IP address, or avoid non-targets based on a regional ISP, a cloud provider or by security product.

After opening the malicious Excel document, it will request a malicious Shock Wave Flash…

[SOURCE]