SURPRISE SURPRISE. Adobe has patched four security vulnerabilities in Flash Player, one of which is a zero-day being actively exploited in the wild.
In what is probably no longer comes as any sort of revelation, the fix (version 126.96.36.199) addresses critical vulnerabilities CVE-2018-4945, CVE-2018-5000, CVE-2018-5001, and CVE-2018-5002 found in version 188.8.131.52 and earlier of Flash Player, covering Windows, Mac, Linux, and Chrome OS editions.
According to Adobe’s security bulletin, CVE-2018-4945 is a type confusion flaw and CVE-2018-5002 a stack-based buffer overflow vulnerability, both of which enable arbitrary code execution. CVE-2018-5000 and CVE-2018-5001 both enable information disclosure.
However, it’s CVE-2018-5002 you need to look out for, Adobe warns.
“Adobe is aware of a report that an exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash Player content distributed via email,” the company said in a statement.
The vulnerability was discovered being used in limited, targeted attacks on Windows users in the wild, and uses an Office document to download and execute an Adobe Flash exploit to target machines, according to the Icebrg Security Research Team, one of few organisations that independently identify and report vulnerabilities to Adobe.
“Given the pounding regularity of critical updates, and the total lack of surprise that greets the discovery of yet another in-the-wild exploit, die-hard users of Flash probably have the muscle memory for updates dialled in so hard they can do them in their sleep,” said Sophos in a Naked Security blog post.
“[We] suggest you interrupt your subconscious reflex and don’t update though […] if you’re still using Flash you remove it entirely, right now, and never look back.”
The news of yet another flash exploit comes just weeks after Adobe announced it had struck a deal to take Magento Commerce off of private equity firm Permira’s hands for $1.68bn.
Just three years after Permira bought the company for just $200m, Adobe said the deal intends to integrate the Magento Commerce Cloud with the Adobe Experience Cloud “delivering a single platform that serves both B2B and B2C customers globally”. The acquisition is the third biggest in Adobe’s history.
According to Adobe, the Magento Platform “brings together digital commerce, order management and predictive intelligence into a unified commerce platform enabling shopping experiences across a wide array of industries”.
The aim of the acquisition is to better enable Adobe to compete against Oracle and Salesforce, which both have relatively mature commerce platforms. µ
Source : Inquirer