Adobe’s Flash Player for Windows, Mac and Linux has a critical vulnerability that should be patched as a top priority. Flash has a dismal history of critical vulnerabilities – so what’s the hurry this time? The answer to that question is buried in the brief Adobe advisory explaining the issue:Technical details about this vulnerability are publicly available.
That’s a warning that although no exploits have been detected so far, they are unlikely to be far off and might even be underway.The SANS Institute’s Johannes B. Ullrich makes an interesting point about the flaw’s imminent exploitation:This is of course, in particular, worrying ahead of the long weekend (in the US) with many IT shops running on a skeleton crew.
The vulnerability was made public last week by a researcher on the same day Adobe released its monthly patch, which means it’s been in the public realm for at least that long.
Identified as CVE-2018-15981, the problem is a type of confusion bug that could lead to a remote code execution (RCE), which could be executed via a malicious Flash file on a boobytrapped website.
The affected versions are 18.104.22.168 and earlier running on all platforms, which means the Desktop Runtime as well as inside the Chrome (and Chromebook), Edge, Firefox and Internet Explorer browsers.