11-22-2018 , 12:11 PM
Quote:Adobe released a security update yesterday that resolves a critical vulnerability in Flash Player that could allow malicious sites to execute code on your computer.
According to the Adobe APSB18-44 bulletin, this vulnerability has a CVE ID of CVE-2018-15981 and is a Type Confusion vulnerability that could allow remote code execution. This means that an attacker can create a malicious SWF file, host it on a web site, and exploit vulnerable visitors when they browse the site. This would then allow them to execute any command on the computer such as downloading and installing malware.
A security update for Adobe Flash Player was already released this month on November 13th along with updates for other products. The reason Adobe has released another update is because the technical information regarding this vulnerability has already been posted online and could be used by attackers to create a working exploit.
It seems that on the same day that the November 13th Flash Player update was released, a blog post was published that provided a detailed overview of a type confusion vulnerability in Flash Player.
TLDR; There’s a bug in Adobe Flash," stated the blog post. "The interpreter code of the Action Script Virtual Machine (AVM) does not reset a with-scope pointer when an exception is caught, leading later to a type confusion bug, and eventually to a remote code execution."
According to Eduard Kovacs of Security Week, this blog belongs to an Israel-based researcher name Gil Dabah. It is not known why the vulnerability was disclosed publicly.
Ultimate, if for you are still using Flash for some reason, you need to update immediately in order to protect yourself while browsing the web. To resolve this vulnerability, users can upgrade to Adobe Flash Player 31.0.0.153.
SOURCE