Adobe has released a Flash Player update that plugs a critical vulnerability (CVE-2018-15981) that could lead to remote code execution, and is urging users to implement it as soon as possible.
The flaw affects Flash Player 126.96.36.199 and earlier versions on Windows, macOS, Linux and Chrome OS, and details about it are already publicly available, the company warned.
CVE-2018-15981 was discovered and publicly disclosed by researcher Gil Dabah last week.
“The interpreter code of the Action Script Virtual Machine (AVM) does not reset a with-scope pointer when an exception is caught, leading later to a type confusion bug, and eventually to a remote code execution,” he explained, then proceeded to detail how it can be triggered.
SANS Dean of Research Johannes Ullrich also advised admins to get patching immediately, if possible.
“Widespread exploitation may be imminent. This is of course, in particular, worrying ahead of the long weekend (in the US) with many IT shops running on a skeleton crew. Try to patch this before you head out on Wednesday, or maybe the weekend shift can take care of it,” he counseled.
“Of course, over the weekend you may be asked to look at issues with relative’s systems. I recommend that you first apply all patches, including this one, then disable Flash. By first patching, and later disabling, you increase your chances of a patched version being installed once the user decides to re-enable Flash. Google Chrome and Microsoft’s Edge browser also need to be updated. Both include Flash by default and are vulnerable.”
Consider removing Flash Player
Removing Flash Player altogether and learning how to do without it might be the best option for many, as Adobe is planning to end support for it by the end of 2020.