Adobe Flash Player Use After Free Vulnerability: APSB18-42

A publicly exploited use after free vulnerability leading to arbitrary code execution was discovered in the Adobe Flash Player. Adobe has addressed this vulnerability in APSB18-42, by releasing the latest version – 32.0.0.101. An additional insecure library loading vulnerability, which leads with privilege escalation via DLL hijacking attacks was also remediated via this update. MITRE has assigned CVE-2018-15982 & CVE-2018-15983 respectively for both these vulnerabilities. Correspondingly, Microsoft has also released ADV180031 to address the two vulnerabilities.

Exploited in the Wild:
CVE-2018-15982 has already been weaponized and found in APT campaigns, targeting certain Russian individuals. It is being exploited via crafted Flash objects that are embedded in a Microsoft Office document and delivered via a spear-phishing email attack. The document is disguised as a questionnaire from a Moscow based clinic and may use social engineering attacks to entice an user into executing the embedded crafter Adobe Flash content. If successful, an implanted binary within a .rar file is extracted and executed. This extracted binary is a backdoor masquerading NVIDIA Control Panel application that utilizes a stolen, revoked digital certificate.

Mitigation:
We request organizations to apply the latest patches provided by Adobe and Microsoft. Additionally, organizations can scan their environment with the following Qualys QIDs to detect the vulnerabilities described as CVE-2018-15982 & CVE-2018-15983:

QID Description
237076 Red Hat Update for flash-plugin (RHSA-2018:3795)
91484 Microsoft Windows Adobe Flash Player Security Update for December 2018 (ADV180031)
371361 Adobe Security Update for Flash Player (APSB18-42)

 

2 thoughts on “Adobe Flash Player Use After Free Vulnerability: APSB18-42”

    1. Hi Tom, you are correct. The QID was in the process of being released to production at the time this post was written. It has since been released in VULNSIGS-2.4.483-x. Can you please verify if you can see it in the knowledgebase now? Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *