Microsoft has released Adobe’s patch for a critical flaw in Flash Player that suspected North Korean hackers have exploited in malicious Excel sheets.

Researchers at Cisco Talos said hackers known as Group 123 were using the zero-day Flash flaw and Excel sheets to deliver the ROKRAT remote-administration tool.

The use-after-free vulnerability in Flash allowed attackers to gain remote code execution on Windows, macOS, Linux, and Chrome OS, Adobe warned last week after South Korea’s CERT said it had observed a Flash exploit for the CVE-2018-4878 being used in the wild.

Adobe said after that it was developing the patch over the coming week, which was released on Tuesday.

Adobe’s update shuts down this avenue for gaining remote code execution on Windows, macOS, Linux, and Chrome OS, and bumps up the current version of Flash Player to

Since Microsoft is responsible for updating Flash player in Internet Explorer and Edge, the company notes that its “out-of-band February 6 security release consists of security updates for Adobe Flash”.

Cisco researchers found Group 123’s Excel sheets contained an ActiveX object that was a malicious Flash file that downloaded ROKRAT from a compromised web server.

Notably, it was the first time this group has been seen using a zero-day exploit, suggesting the targets were carefully selected and high value.

FireEye, which calls Group 123 TEMP.Reaper, said it had observed the group interacting with their command-and-control infrastructure from North Korean IP addresses. Most of the group’s targets were South Korean government, military and defense industry organizations, it said.

Adobe also patched a second use-after-free vulnerability that that could allow for remote code execution.

Flash Player installed with Chrome, Edge and Internet Explorer 11 will be updated to the latest version automatically.

Flash Player, once a favorite target for exploit kits, will reach end-of-life in December 2020 as the industry moves towards HTML5. Microsoft and Google plan to have dropped support for Flash before then.


Image: Cisco Talos