A just-fixed cross-platform Zero Day in Flash Player could have allowed attackers execute arbitrary code, officials said.
The security issue tracked as CVE-2018-15982 is present in Flash Player 188.8.131.52 and earlier versions installed on computers running Windows, macOS, and Linux.
There are already reports of an exploit for CVE-2018-15982 existing within maliciously crafted Microsoft Office documents containing the Zero Day code, said officials at Adobe, which created Flash Player.
The exploit has been observed in the form of a Flash Active X object which would drop a backdoor Trojan capable of running on 32-bit and 64-bit architectures.
Qihoo 360 Core Security, Gigamon Applied Threat Research, and 360 Threat Intelligence were the first ones to discover th exploit and report the issue to Adobe’s Product Security Incident Response Team (PSIRT).
In addition, Adobe also patched a remotely exploitable privilege escalation bug tracked as CVE-2018-15983 which could make it possible for a potential attacker to compromise vulnerable systems.
The privilege escalation issue resides in the insecure manner used by Flash Player loads DLL libraries that would allow an attacker to use a maliciously crafted DLL file to execute arbitrary code on the compromised machine in the context of the current user.
All users of the Adobe Flash Player Desktop Runtime for Windows, macOS, and Linux are recommended to update to the patched 184.108.40.206 version.