Adobe issued another security update yesterday to address a type confusion vulnerability. The vulnerability (CVE-2018-15981) could allow remote code execution. An attacker could construct a malicious SWF file, host it on a website and then exploit any vulnerable visitor browsing the website. Following this, the vulnerability could allow the attacker to execute any command on the machine which includes downloading and installing malware. According to researchers, “The interpreter code of the Action Script Virtual Machine (AVM) does not reset a with-scope pointer when an exception is caught, leading later to a type confusion bug, and eventually to a remote code execution.”
Analyst Notes
Anyone still using Adobe Flash is advised to upgrade to Adobe Flash Player 31.0.0.153. Most browsers currently have flash player disabled by default. Unless flash player is specifically needed, it is better to leave the browser plugin disabled.