Adobe Patches Zero-Day Vulnerability in Flash Player2018-12-06 14:30 by Daniela
Tags: Adobe Flash
Adobe on Wednesday released several unscheduled fixes for Flash Player, including a critical vulnerability that it said is being exploited in the wild. Researchers with Gigamon Applied Threat Research (ATR) and Qihoo 360 uncovered a phishing campaign that exploits CVE-2018-15982. This attack is being named "Operation Poison Needles" and targeted the Russian FSBI "Polyclinic #2" medical clinic.
"Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS," Adobe said in its release. "These updates address one critical vulnerability in Adobe Flash Player and one important vulnerability in Adobe Flash Player installer. Successful exploitation could lead to arbitrary code-execution and privilege-escalation in the context of the current user respectively."
CVE-2018-15982 is a use-after-free in the Flash's file package com.adobe.tvsdk.mediacore.metadata that can be exploited to deliver and execute malicious code on a victim's computer. Impacted are Adobe Flash Player Desktop Runtime, Adobe Flash Player for Google Chrome; Adobe Flash Player for Microsoft Edge and Internet Explorer 11; all for versions 22.214.171.124 and earlier. Adobe Flash Player Installer versions 126.96.36.199 and earlier are also affected.
Users and admins are advised to test and install the patches as soon as possible.
Read more -here-