Adobe Flash Player Use After Free Vulnerability: APSB18-42

A publicly exploited use after free vulnerability leading to arbitrary code execution was discovered in the Adobe Flash Player. Adobe has addressed this vulnerability in APSB18-42, by releasing the latest version – An additional insecure library loading vulnerability, which leads with privilege escalation via DLL hijacking attacks was also remediated via this update. MITRE has assigned CVE-2018-15982 & CVE-2018-15983 respectively for both these vulnerabilities. Correspondingly, Microsoft has also released ADV180031 to address the two vulnerabilities.

Exploited in the Wild:
CVE-2018-15982 has already been weaponized and found in APT campaigns, targeting certain Russian individuals. It is being exploited via crafted Flash objects that are embedded in a Microsoft Office document and delivered via a spear-phishing email attack. The document is disguised as a questionnaire from a Moscow based clinic and may use social engineering attacks to entice an user into executing the embedded crafter Adobe Flash content. If successful, an implanted binary within a .rar file is extracted and executed. This extracted binary is a backdoor masquerading NVIDIA Control Panel application that utilizes a stolen, revoked digital certificate.

We request organizations to apply the latest patches provided by Adobe and Microsoft. Additionally, organizations can scan their environment with the following Qualys QIDs to detect the vulnerabilities described as CVE-2018-15982 & CVE-2018-15983:

QID Description
237076 Red Hat Update for flash-plugin (RHSA-2018:3795)
91484 Microsoft Windows Adobe Flash Player Security Update for December 2018 (ADV180031)
371361 Adobe Security Update for Flash Player (APSB18-42)


2 thoughts on “Adobe Flash Player Use After Free Vulnerability: APSB18-42”

    1. Hi Tom, you are correct. The QID was in the process of being released to production at the time this post was written. It has since been released in VULNSIGS-2.4.483-x. Can you please verify if you can see it in the knowledgebase now? Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *