Multiple Vulnerabilities in Adobe Flash Player
Original Issue Date: February 03, 2018
Severity Rating: High
- Adobe Flash Player Desktop Runtime Version 220.127.116.11 and prior for Windows, Macintosh and Linux
- Adobe Flash Player for Google Chrome Version 18.104.22.168 and prior for Windows, Macintosh, Linux and Chrome OS
- Adobe Flash Player for Microsoft Edge and Internet Explorer 11 Version 22.214.171.124 and prior for Windows 10 and 8.1
Multiple Use-After-Free remote code execution vulnerabilities have been reported in Adobe Flash Player. Successful exploitation of these vulnerabilities could potentially allow an attacker to take control of the affected system.
Multiple Use-After-Free remote code execution vulnerabilities (CVE-2018-4878 and CVE-2018- 4877)have been reported in Adobe Flash Player. The exploit for these vulnerabilities is used in limited, targeted attacks against Windows users. Office documents with embedded malicious Flash content distributed via email are leveraged for these attacks.
Successful exploitation of these Remote Code Execution vulnerabilities could potentially allow an attacker to take control of the affected system.
- Latest updated version 126.96.36.199 of Adobe Flash Player for Desktop Runtime for Windows, Macintosh and Linux could be downloaded from the link Adobe Flash Player Download Center
- Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 188.8.131.52 for Windows, Macintosh, Linux and Chrome OS
- Adobe Flash Player installed with Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1 will be automatically updated to the latest version, which will include Adobe Flash Player 184.108.40.206
- Administrators may consider implementing Protected View for Office . Protected View opens a file marked as potentially unsafe in Read-only mode.
- Adobe will release the security update on February 5 (local time). User may consider removal of 'Flash Player' until release of security patch
- To reduce the damage caused by the vulnerability, the user must:
- Avoid visiting untrusted websites
- Avoid viewing email attachments with unknown origin and links
The information provided herein is on "as is" basis, without warranty of any kind.
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003