[German]Adobe has released an update for the Flash Player on June 7, 2018, which upgrades it to version 126.96.36.199. Additions: The information is now available – Adobe has closed a critical zero-day vulnerability that could be exploited by Office files and was also exploited in the wild under Windows via Office files. Addendum: Microsoft has released update KB4287903 for Windows.
No information from Adobe so far
There is no information on the new build from Adobe yet, the latest security bulletin APSB18-16 still refers to the May update. A German blog reader noticed me, that he got a Flash update within his Slimjet browser. I just checked the current Google Chrome, Adobe Flash Player version 188.8.131.52 is already installed there.
Version 30 indicates that this is a new development branch, because we were previously on Adobe Flash 29.x.x. The fact that this update is out of order (regularly I would have expected it on June 12, 2018) could indicate a security problem.
Addendum: Zero-Day vulnerability CVE-2018-5002 closed
Adobe has closed a zero-day vulnerability that could be exploited through office files. The vulnerability was discovered by several security providers (ICEBRG, Tencent, and two security departments of the Chinese security provider Qihoo 360). Adobe has published a security advisory APSB18-19, which decribes the vulnerability CVE-2018-5002:
Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address critical vulnerabilities in Adobe Flash Player 184.108.40.206 and earlier versions. Successful exploitation could lead to arbitrary code execution in the context of the current user.
Adobe is aware of a report that an exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash Player content distributed via email.
Details may be read within Security Advisory APSB18-19, an update to version 220.127.116.11 is strongly advised.
Adobes Flash Player version 18.104.22.168
The following Flash versions are affected. Adobe Flash Player 22.214.171.124 is provided for Windows, Macintosh, Linux and Chrome OS platforms.
|Adobe Flash Player Desktop Runtime||126.96.36.199 and earlier versions||Windows, Macintosh|
|Adobe Flash Player for Google Chrome||188.8.131.52 and earlier versions||Windows, Macintosh, Linux and Chrome OS|
|Adobe Flash Player for Microsoft Edge and Internet Explorer 11||184.108.40.206 and earlier versions||Windows 10 and 8.1|
|Adobe Flash Player Desktop Runtime||220.127.116.11 and earlier versions||Linux|
If you have activated the auto-update function of the Flash Player and installed the player separately, you should receive this update automatically. Otherwise download the new version from APSB 18-19. I assume that the Flash Player for Windows 8.1 and Windows 10 will also be updated promptly by Microsoft (but no later than June 12, 2018).
Check for update in Google Chrome and Slimjet
Chrome Browser and Slimjet browser should automatically install the update. You can also check for updates manually by typing chrome://components in the browser’s address bar.
Above is my German Google Chrome (also Slimjet browser), which reports, that version 18.104.22.168 is installed.
This Adobe website shows me version 22.214.171.124 as current for the Flash-Player. The previously available information, which Flash version is installed in the browser,is missing however. I guess, this is because the Chrome browser already blocks Flash by default. This is exactly what Adobe’s Flash test tells me.
If you upgrade the Flash Player to version 126.96.36.199 via this Adobe website (the version is already available there), make sure that the optional offerings (McAfee Security Scan Plus and True Key from Intel) are not installed.
Update KB4287903 for Windows
Microsoft has released security update KB4287903 to close the vulnerability for the following Windows versions:
- Windows Server Version 1803,
- Windows 10 Version 1803,
- Windows Server 2016 Version 1709,
- Windows 10 Version 1709
- Windows 10 Version 1703
- Windows Server 2016
- Windows 10 Version 1607
- Windows 10 (RTM)
- Windows Server 2012 R2
- Windows RT 8.1
- Windows 8.1
This package is available via Windows Update, may be also downloaded via Microsoft Update-Katalog. If you choose a manual install, note the restrictions described in KB4287903. Also read ADV180014 for further details.
Addendum: It seems that some users are facing install issue with KB4287903, see my blog post Flash-Update KB4287903: Install issues with WSUS.