[SingCERT] Alert on Adobe Flash Player Vulnerability (CVE-2018-15981)

Published on Thursday, 22 November 2018 16:47

Background

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh Operating System (MacOS), Linux and Chrome Operating Systems (OS). The vulnerability occurs because the interpreter code of the Action Script Virtual Machine does not reset when an exception is caught. This leads to a “type confusion” bug, resulting in the possibility of a remote code execution. The security updates address this critical vulnerability (CVE-2018-15981) in Adobe Flash Player.

Affected Version

• Adobe Flash Player Desktop Runtime running on version 31.0.0.148 and earlier for Windows, MacOS and Linux
• Adobe Flash Player for Google Chrome running on version 31.0.0.148 and earlier for Windows, MacOS, Linux and Chrome OS
• Adobe Flash Player for Microsoft Edge and Internet Explorer 11 running on version 31.0.0.148 and earlier versions for Windows 10 and 8.1

Impact

Successful exploitation of this vulnerability could allow attackers to perform arbitrary code execution on affected systems. Attackers can take control of an affected system to perform malicious activities such as unauthorised installation of programs, creating rogue administrator accounts and alteration of data.

Recommendations

• Users running on the affected versions of Adobe Flash Player Desktop Runtime for Windows, MacOS and Linux should update to the latest version, Adobe Flash Player 31.0.0.153.
• Affected versions of Adobe Flash Player for Google Chrome, Microsoft Edge and Internet Explorer 11 will be updated automatically to the latest version, Adobe Flash Player 31.0.0.153.

References

https://helpx.adobe.com/security/products/flash-player/apsb18-44.html
https://threatpost.com/critical-adobe-flash-bug-impacts-windows-macos-linux-and-chrome-os/139264/