Adobe’s Flash Player for Windows, Mac and Linux has a critical vulnerability that should be patched as a top priority.
Technical details about this vulnerability are publicly available.
That’s a warning that although no exploits have been detected so far, they are unlikely to be far off and might even be underway.
The SANS Institute’s Johannes B. Ullrich makes an interesting point about the flaw’s imminent exploitation:
This is of course, in particular, worrying ahead of the long weekend (in the US) with many IT shops running on a skeleton crew.
The vulnerability was made public last week by a researcher on the same day Adobe released its monthly patch, which means it’s been in the public realm for at least that long.
Identified as CVE-2018-15981, the problem is a type of confusion bug that could lead to a remote code execution (RCE), which could be executed via a malicious Flash file on a boobytrapped website.
The affected versions are 126.96.36.199 and earlier running on all platforms, which means the Desktop Runtime as well as inside the Chrome (and Chromebook), Edge, Firefox and Internet Explorer browsers.
Flash is heavily locked down in browsers (Chrome, Firefox, Edge, Safari) that now require users to activate it each time it is used.
That’s not a perfect defence because users could be tricked into enabling it, which is why it’s also possible to disable it completely (after installing any patches just in case it gets re-enabled later).
Better still, with Flash on its last legs before the 2020 end of life cut-off, remove it completely.
Recent figures suggest that under 5% of websites use it, so losing it shouldn’t be noticed.
However, history teaches us to be realistic. Most likely Flash will continue as a zombie technology well into the future and long after Adobe has washed its hands of a favourite target for the internet’s bad guys.
Make sure you’re not one of the holdouts.