Adobe Flash Player: New Update 28.0.0.161

Sicherheit[German]Adobe closes the zero day vulnerability CVE-2018-4878 in Flash Player with version 28.0.0.0.161. The update is (or will be) released for Windows, Macintosh, Linux and Chrome OS. Addendum: A 2nd vulnerability CVE-2018-4877 has been closed.


Advertising

Background: A Zero Day Exploit is used in the wild

Adobe Flash Player has a Zero Day vulnerability (CVE-2018-4878) in all versions up to version 28.0.0.0.137, which is documented in the Adobe Security Advisory for Flash Player APSA18-01. According to this report, a vulnerability CVE-2018-4877 (remote code execution) has been closed. The following Flash versions are affected.

Product Version Platform
Adobe Flash Player Desktop Runtime 28.0.0.137 and earlier versions Windows, Macintosh
Adobe Flash Player for Google Chrome 28.0.0.137 and earlier versions Windows, Macintosh, Linux and Chrome OS
Adobe Flash Player for Microsoft Edge and Internet Explorer 11 28.0.0.137 and earlier versions Windows 10 and 8.1
Adobe Flash Player Desktop Runtime 28.0.0.137 and earlier versions Linux

It’s a use after free vulnerability that allows attackers a remote code execution. Adobe has planned a fix for February 5, 2018. I’ve published recently some details within my blog post New Adobe Flash Zero-Day exploit in the wild, after korean CERT has warned about an exploit used in the wild.

Version 28.0.0.161 des Flash Player Slimjet 17.0.6

Yesterday I received a comment within my German blog post Slimjet 17.0.6 verfügbar, where a reader mentioned, that his Slimjet browser contains an entry for Flash Player version 28.0.0.161 in folder Data\PepperFlash (see also the above screen shot). Another user at Google + mentioned yesterday, that ChromeOS in developer channel also support the new Flash Player version.

Flash-Version in Google Chrome


Advertising

I’ve checked my Google Chrome browser for the Flash Player version. Therefore I entered chrome: //components into the address box and tot the page from the screenshot above. The browser reported version 28.0.0.261 (although Adobe hasn’t released this version to the public).  The explanation: Adobe probably completed the patch last week, but didn’t want to roll it out immediately, because they can’t react well, if issues arise during the weekend.

New Flash Player version 28.0.0.161

The release of Adobe Flash Player 28.0.0.161 is planned on February 5, 2018 for Windows, Macintosh, Linux and Chrome OS. If you have activated the auto-update function of the Flash-Player and installed the player separately, you should receive this update automatically. For Windows 8.1 and Windows 10, Microsoft will probably roll out the update on February 6, 2018 via Windows Update. The Chrome Browser should also automatically pull the update.

Which Flash Player version do I have?

The installed Flash version can be queried on this Adobe web site. There you can see if the Flash-Player is supported in the browser, which version is used and which version is available for the update at Adobe.

Flash Player

If you update the Flash Player via the above Adobe page, make sure that the PUPs offered (McAfee Security Scan Plus and True Key from Intel) are not installed with the software.

Addendum: Direct Flash player downloads

Visit this Adobe page and scroll down to section ‘Still having problems?’ – there are direct download links for Flash player.

Similar articles:
New Adobe Flash Zero-Day exploit in the wild
How to disable Adobe Flash Player in Windows 8, 8.1, 10
Adobe Flash Player version 28.0.0.137 released


Advertising
This entry was posted in Security, Update and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *