Adobe Flash Player Has (Another) Critical Zero-Day Vulnerability

The Adobe Flash Player is widely adopted and a choice target for attackers given its history with vulnerabilities and the potential footprint exploits can have. Adobe consistently provides security updates for critical vulnerabilities. However, CVE-2018-5002 is the second zero-day vulnerability in Adobe Flash Player this year (the earlier one being CVE-2018-4877). Today, Adobe released a security patch for this vulnerability, along with other critical updates. This vulnerability was independently discovered by ICEBRG, Qihoo 360 and Tencent and impacts Adobe Flash Player 29.0.0171 and earlier versions. According to Adobe, the vulnerability is a stack-based buffer overflow bug that could allow arbitrary code execution.

Impact assessment

An attacker who successfully exploits the vulnerability could take control of an affected system. Exploits in the wild have leveraged Microsoft Office documents containing malicious Flash Player content via targeted email campaigns. At this time, the targeted systems seem to be Windows devices in the Middle East, according to Qihoo 360 Core Security. Adobe has released a security update for Adobe Flash Player on various affected platforms, including Windows, macOS, Linux, and Chrome OS.

Urgently required actions

Adobe Flash Player requires an immediate update to version 30.0.0.113 for all platforms.

Identifying affected systems

Tenable® has been monitoring the situation. We’ve released the following Nessus® plugins to assist our customers in finding and securing their exposure to CVE-2018-5002 as well as the other vulnerabilities patched in this update.

Get more information

• Qihoo360
• Adobe
• Learn more about Tenable.io,® the first Cyber Exposure platform for holistic management of your modern attack surface
• Get a free 60-day trial of Tenable.io Vulnerability Management