A publicly exploited use after free vulnerability leading to arbitrary code execution was discovered in the Adobe Flash Player. Adobe has addressed this vulnerability in APSB18-42, by releasing the latest version – 184.108.40.206. An additional insecure library loading vulnerability, which leads with privilege escalation via DLL hijacking attacks was also remediated via this update. MITRE has assigned CVE-2018-15982 & CVE-2018-15983 respectively for both these vulnerabilities. Correspondingly, Microsoft has also released ADV180031 to address the two vulnerabilities.
Exploited in the Wild:
CVE-2018-15982 has already been weaponized and found in APT campaigns, targeting certain Russian individuals. It is being exploited via crafted Flash objects that are embedded in a Microsoft Office document and delivered via a spear-phishing email attack. The document is disguised as a questionnaire from a Moscow based clinic and may use social engineering attacks to entice an user into executing the embedded crafter Adobe Flash content. If successful, an implanted binary within a .rar file is extracted and executed. This extracted binary is a backdoor masquerading NVIDIA Control Panel application that utilizes a stolen, revoked digital certificate.
We request organizations to apply the latest patches provided by Adobe and Microsoft. Additionally, organizations can scan their environment with the following Qualys QIDs to detect the vulnerabilities described as CVE-2018-15982 & CVE-2018-15983:
|237076||Red Hat Update for flash-plugin (RHSA-2018:3795)|
|91484||Microsoft Windows Adobe Flash Player Security Update for December 2018 (ADV180031)|
|371361||Adobe Security Update for Flash Player (APSB18-42)|
2 thoughts on “Adobe Flash Player Use After Free Vulnerability: APSB18-42”
QID 237076 does not exist in the Qualys knowledgebase, QID 91484 has no CVSS score and no CVSS3 score.
Hi Tom, you are correct. The QID was in the process of being released to production at the time this post was written. It has since been released in VULNSIGS-2.4.483-x. Can you please verify if you can see it in the knowledgebase now? Thanks!