Adobe has released a security patch update for a critical vulnerability in its Flash Player software that is actively being exploited in the wild by hackers in targeted attacks against Windows users.

"The hackers carefully constructed an Office document that remotely loaded Flash vulnerability. When the document was opened, all the exploit code and malicious payload were delivered through remote servers," Qihoo 360 published vulnerability analysis in a blog post.

flash-player-zero-day-vulnerability

"Because Flash assumes that it is impossible to execute to the catch block when processing the try catch statement, it does not check the bytecode in the catch block," the researchers explain. "The attacker uses the getlocal, setlocal instruction in the catch block to read and write arbitrary addresses on the stack."

Besides the patch for CVE-2018-5002, Adobe also rolled out security updates for two "important" vulnerabilities—including Integer Overflow bug (CVE-2018-5000) and an Out-of-bounds read issue (CVE-2018-5001)—both of which lead to information disclosure.

So, users are highly recommended to immediately update their Adobe Flash Player to versions 30.0.0.113 via their update mechanism within the software or by visiting the Adobe Flash Player Download Center.

Leave a Reply

Your email address will not be published. Required fields are marked *