[German]Adobe closes the zero day vulnerability CVE-2018-4878 in Flash Player with version 220.127.116.11.161. The update is (or will be) released for Windows, Macintosh, Linux and Chrome OS. Addendum: A 2nd vulnerability CVE-2018-4877 has been closed.
Background: A Zero Day Exploit is used in the wild
Adobe Flash Player has a Zero Day vulnerability (CVE-2018-4878) in all versions up to version 18.104.22.168.137, which is documented in the Adobe Security Advisory for Flash Player APSA18-01. According to this report, a vulnerability CVE-2018-4877 (remote code execution) has been closed. The following Flash versions are affected.
|Adobe Flash Player Desktop Runtime||22.214.171.124 and earlier versions||Windows, Macintosh|
|Adobe Flash Player for Google Chrome||126.96.36.199 and earlier versions||Windows, Macintosh, Linux and Chrome OS|
|Adobe Flash Player for Microsoft Edge and Internet Explorer 11||188.8.131.52 and earlier versions||Windows 10 and 8.1|
|Adobe Flash Player Desktop Runtime||184.108.40.206 and earlier versions||Linux|
It’s a use after free vulnerability that allows attackers a remote code execution. Adobe has planned a fix for February 5, 2018. I’ve published recently some details within my blog post New Adobe Flash Zero-Day exploit in the wild, after korean CERT has warned about an exploit used in the wild.
Yesterday I received a comment within my German blog post Slimjet 17.0.6 verfügbar, where a reader mentioned, that his Slimjet browser contains an entry for Flash Player version 220.127.116.11 in folder Data\PepperFlash (see also the above screen shot). Another user at Google + mentioned yesterday, that ChromeOS in developer channel also support the new Flash Player version.
I’ve checked my Google Chrome browser for the Flash Player version. Therefore I entered chrome: //components into the address box and tot the page from the screenshot above. The browser reported version 18.104.22.1681 (although Adobe hasn’t released this version to the public). The explanation: Adobe probably completed the patch last week, but didn’t want to roll it out immediately, because they can’t react well, if issues arise during the weekend.
New Flash Player version 22.214.171.124
The release of Adobe Flash Player 126.96.36.199 is planned on February 5, 2018 for Windows, Macintosh, Linux and Chrome OS. If you have activated the auto-update function of the Flash-Player and installed the player separately, you should receive this update automatically. For Windows 8.1 and Windows 10, Microsoft will probably roll out the update on February 6, 2018 via Windows Update. The Chrome Browser should also automatically pull the update.
Which Flash Player version do I have?
The installed Flash version can be queried on this Adobe web site. There you can see if the Flash-Player is supported in the browser, which version is used and which version is available for the update at Adobe.
If you update the Flash Player via the above Adobe page, make sure that the PUPs offered (McAfee Security Scan Plus and True Key from Intel) are not installed with the software.
Addendum: Direct Flash player downloads
Visit this Adobe page and scroll down to section ‘Still having problems?’ – there are direct download links for Flash player.