The Adobe Flash Player has been found to contain a critical security bug along with another high-impact vulnerability. The issues are being tracked in the CVE-2018-15982 and attacks using these weaknesses have already been reported. All users using the Flash Player should update their installations as soon as possible to avoid being hacked.
Adobe Flash Player Critical Flaw and Vulnerabilities Tracked in CVE-2018-15982
This month has brought news of a new set of Adobe Flash Player vulnerabilities. They are tracked in the CVE-2018-15982 advisory, the worrying fact is that exploits using them have already been reported. The critical bug is described as an arbitrary code execution possibility. This means that using the Flash Player hackers can execute malicious code on the target computers. The critical rating assigned to it is due to the fact that Adobe has received reports of abuse. Security reports indicate that an unknown malicious actor is leveraging it against a healthcare organization which is associated with the Russian presidential administration. The flaw is found within all popular platforms: Microsoft Windows, macOS, Linux and Chrome OS. The necessary patches have already been released.
The CVE-2018-15983 advisory tracks the other vulnerability which is categorized as privilege escalation. Its severity rating is “important” which enables the Flash player to gain unauthorized entry to the system via the increased access.
The limited information which we have available shows that the malicious hackers are using infected documents, particularly Microsoft Word ones. They are packed inside a RAR archive along with a JPG photo. As soon as the archives are opened upon launching of the Microsoft Word document the built-in Flash scripts will extract a malware payload from the photo. This tactic is being maintained in order to avoid detection by most security software that directly scan for executable malware files. This approach also shows that advanced phishing tactics have been used in spreading the payload carriers. It is very possible that this attack scenario is based on research and careful planning.
For more information on the bugs check the associated Adobe Security Bulletin page. The company recommends that all users patch their systems as soon as possible to prevent any abuse.