Remote code execution in Adobe Flash Player

Published: 2018-02-01 | Updated: 2018-02-06
Severity Critical
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2018-4878
CWE ID CWE-416
Exploitation vector Network
Public exploit This vulnerability is being exploited in the wild.
Vulnerable software Adobe Flash Player Subscribe
Vendor Adobe

Security Advisory

This security advisory describes one critical risk vulnerability.

1) Use-after-free

Severity: Critical

CVSSv3: 9.2 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C] [PCI]

CVE-ID: CVE-2018-4878

CWE-ID: CWE-416 - Use After Free

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a use-after-free error when processing .swf files. A remote attacker can execute arbitrary code on the target system.

Note: this vulnerability is being actively exploited in the wild against the latest version of Adobe Flash Player.

UPDATE: The vendor has issued the fixed version on February 6, 2018.

Mitigation

Update to version 28.0.0.161.

Vulnerable software versions

Adobe Flash Player: 25.0.0.148, 25.0.0.163, 25.0.0.171, 26.0.0.120, 26.0.0.126, 26.0.0.131, 26.0.0.137, 26.0.0.151, 27.0.0.130, 27.0.0.170, 27.0.0.183, 27.0.0.187, 28.0.0.126, 28.0.0.137

CPE External links

https://helpx.adobe.com/security/products/flash-player/apsa18-01.html
https://helpx.adobe.com/security/products/flash-player/apsb18-03.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.