Adobe Zero day Exploit arbitrary code execution
CVE-2018-5002
CVSS: Unknown at this time but ranked as critical
Sources
https://helpx.adobe.com/security/products/flash-player/apsb18-19.html
Risks
Its exploitation could allow an attacker to execute malicious code in the context of the current user. This vulnerability is known to be already exploited.
Description
The team “Qihoo 360” found this vulnerability. An attacker could create a special Office document that, once opened, would load the flash Active-X plug-in that contains the vulnerability. It can be used to download and execute malicious code from remote servers for example.
A proof of concept is available on Qihoo 360 blog (see references).
The affected products are the following :
• Adobe Flash Player Desktop Runtime, 29.0.0.171 and earlier versions on Windows, macOS and Linux
• Adobe Flash Player for Google Chrome, 29.0.0.171 and earlier versions on Windows, macOS, Linux and Chrome OS
• Adobe Flash Player for Microsoft Edge and Internet Explorer 11, 29.0.0.171 and earlier versions on Windows 10 and 8.1
Recommended Actions
CERT.be recommends users to always keep their systems up to date. Please be advised that Flash is part of Windows 10 and that it cannot be removed.
https://helpx.adobe.com/security/products/flash-player/apsb18-19.html
The Flash plugin can be deactivated by following one or more of these steps :
• https://www.laptopmag.com/articles/disable-flash-windows-10-edge-browser
• https://support.google.com/chrome/answer/6258784
• https://help.my-private-network.co.uk/support/solutions/articles/6000152...
You can also test if it’s activated using the following link :
https://helpx.adobe.com/flash-player.html