Adobe on Wednesday released several unscheduled fixes for Flash Player, including a critical vulnerability that it said is being exploited in the wild.
The critical vulnerability, CVE-2018-15982, is a use-after-free flaw enabling arbitrary code-execution in Flash.
“Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS,” Adobe said in its release. “These updates address one critical vulnerability in Adobe Flash Player and one important vulnerability in Adobe Flash Player installer. Successful exploitation could lead to arbitrary code-execution and privilege-escalation in the context of the current user respectively.”
The flaw was discovered by Chenming Xu and Ed Miles of Gigamon ATR. Researchers on Wednesday also outlined the further technical details about the exploit of the vulnerability.
Impacted is Adobe Flash Player Desktop Runtime, Adobe Flash Player for Google Chrome; Adobe Flash Player for Microsoft Edge and Internet Explorer 11; all for versions 220.127.116.11 and earlier. Adobe Flash Player Installer versions 18.104.22.168 and earlier is also affected.
Users of these impacted products can update to version 22.214.171.124, according to Adobe. Users of Adobe Flash Player Installer can update to version 126.96.36.199.
Adobe also patched an important-rated insecure library loading (via DLL hijacking) vulnerability, CVE-2018-15983, that could lead to privilege escalation via Adobe Flash.
This is only the latest exploit to hit Adobe Flash – earlier in June, a zero-day Flash vulnerability was is being exploited in the wild in targeted attacks against Windows users in the Middle East, according to researchers. Adobe dealt with another zero-day Flash vulnerability back in February, which was exploited by North Korean hackers.