14 DAY TRIAL // Adobe patched a cross-platform zero-day Flash Player vulnerability which could allow potential remote attackers to trigger an execute arbitrary code on vulnerable machines.
The security issue tracked as CVE-2018-15982 is present in Flash Player 31.0.0.153 and earlier versions installed on computers running Windows, macOS, and Linux.
According to Adobe, there are already reports of an exploit for CVE-2018-15982 existing in the wild within maliciously crafted Microsoft Office documents containing the zero-day code.
The zero-day exploit has been observed in the form of a Flash Active X object which would drop a backdoor Trojan capable of running on 32-bit and 64-bit architectures.
Qihoo 360 Core Security, Gigamon Applied Threat Research, and 360 Threat Intelligence were the first ones to observe the zero-day actively exploited in the wild subsequently reporting the issue to Adobe's Product Security Incident Response Team (PSIRT) on Thursday, November 29th.
A privilege escalation bug also impacts unpatched Flash Player versions
"The lure document used to initiate the attack was a carefully forged employee questionnaire, which exploited the latest Flash 0day vulnerability CVE-2018-15982 and a customized Trojan with self-destruction function," according to Qihoo 360 Core Security.
Moreover, "All the technical details indicate that the APT group is determined to compromise the target at any price, but at the same time, it is also very cautious."
Adobe also patched a remotely exploitable privilege escalation bug tracked as CVE-2018-15983 which could make it possible for a potential attacker to compromise vulnerable systems.
The privilege escalation issue resides in the insecure manner used by Flash Player loads DLL libraries that would allow an attacker to use a maliciously crafted DLL file to execute arbitrary code on the compromised machine in the context of the current user.
All users of the Adobe Flash Player Desktop Runtime for Windows, macOS, and Linux are recommended to update to the patched 32.0.0.101 version using the built-in update mechanism or via the Adobe Flash Player Download Center.
