Adobe Zero day Exploit arbitrary code execution
CVSS: Unknown at this time but ranked as critical
Its exploitation could allow an attacker to execute malicious code in the context of the current user. This vulnerability is known to be already exploited.
The team “Qihoo 360” found this vulnerability. An attacker could create a special Office document that, once opened, would load the flash Active-X plug-in that contains the vulnerability. It can be used to download and execute malicious code from remote servers for example.
A proof of concept is available on Qihoo 360 blog (see references).
The affected products are the following :
• Adobe Flash Player Desktop Runtime, 18.104.22.168 and earlier versions on Windows, macOS and Linux
• Adobe Flash Player for Google Chrome, 22.214.171.124 and earlier versions on Windows, macOS, Linux and Chrome OS
• Adobe Flash Player for Microsoft Edge and Internet Explorer 11, 126.96.36.199 and earlier versions on Windows 10 and 8.1
CERT.be recommends users to always keep their systems up to date. Please be advised that Flash is part of Windows 10 and that it cannot be removed.
The Flash plugin can be deactivated by following one or more of these steps :
You can also test if it’s activated using the following link :