Adobe has published its monthly security bulletin, and for the month of April 2018, the company has addressed security bugs in five products —Adobe Flash Player, Adobe Experience Manager (enterprise CMS), Adobe InDesign (publishing software), Adobe Digital Editions (e-book reader), and Adobe PhoneGap Push Plugin (mobile development library).
As usual, the Flash Player fixes reign supreme, as this remains Adobe's most popular product, even if Google has reported that Flash usage has declined from 80% in 2014 to under 8% in 2018.
In total, Adobe fixed 14 security flaws, broken down as follows: 6 in Flash Player, 3 in Experience Manager, 2 in InDesign, 2 in Digital Editions, and 1 in the PhoneGap Push Plugin.
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities in Adobe Flash Player 18.104.22.168 and earlier versions. Successful exploitation could lead to arbitrary code execution in the context of the current user. The latest Adobe Flash Player version number is now: 22.214.171.124.
To download the update see this post: https://community.webroot.com/t5/Security-Industry-News/Adobe-Flash-Player-v29-0-0-140-and-Adobe-Air...
There is a new version of Adobe Flash Payer v126.96.36.199 please make sure to uncheck any unwanted add-ons (PUA's) before downloading.
Download Adobe Flash Player: https://get.adobe.com/flashplayer/
Download Adobe Air: https://get.adobe.com/air/
Make sure to uncheck any unwanted add-ons (Optional offers) before installing.
The number of Flash Player exploits has recently declined, due to Adobe’s introduction of various measures to strengthen Flash’s security. Occasionally, however, an exploit still arises. On January 31, Kr-Cert reported a zero-day vulnerability, (Adobe has released an update to fix this flaw.) We analyzed this vulnerability and found that it bypassed the byte array mitigation feature that was introduced to prevent “length corruption” attacks in Flash. This post will focus on how the exploit bypasses the length checks.
Adobe Flash Player 188.8.131.52
Be sure to uncheck any unwanted add-ons if offered.
Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive. If you use the download center, uncheck any unnecessary extras.
Internet Explorer - ActiveX
Firefox, Safari, Opera (Presto) - NPAPI
Opera (Blink) and Chromium - PPAPI
If you are not an enterprise user, please visit get.adobe.com/flashplayer to download Adobe Flash Player for your system.
Enterprise users must have a valid license to download and distribute Adobe Flash Player binaries. Instructions and further details can be found at www.adobe.com/products/players/flash-player-distri
Please note that starting December 1st, 2015 you will be required to create an AdobeID to request an enterprise distribution license.
Security updates available for Flash Player | APSB18-03
Adobe Flash Player for Windows 10 Version 1607 (KB4074595):
Adobe Flash Player for Windows 10 Version 1703 (KB4074595):
Adobe Flash Player for Windows 10 Version 1709 (KB4074595):
If you have ever been infected or have helped someone infected with adware, then you most likely have seen your browser being redirected to sites pretending to be Flash Player updates. Instead of a legitimate update, these sites normally push adware bundles that install further unwanted programs on an unsuspecting user. Today, I learned about a new fake Flash Player update site, but was surprised to find that it was installing a CPU miner instead onto visitors.
Google Chrome 64.0.3282.140 Stable
Google Chrome Enterprise
Adobe Flash Player 184.108.40.206 for Google Chrome(PepperFlash)
unpack via 7-zip
February 2nd, 2018 By Lee Bell
The South Korean Computer Emergency Response Team (KR-CERT) has issued a security alert warning of a zero-day vulnerability affecting Adobe’s Flash Player.
Deployed in the wild, the malicious code is said to affect the latest version of Flash (220.127.116.11) and earlier across all OS platforms, and is said to give attackers the ability to persuade users to open Microsoft Office documents, web pages, and spam emails.
Security Advisory for Flash Player | APSA18-01
A critical vulnerability (CVE-2018-4878) exists in Adobe Flash Player 18.104.22.168 and earlier versions. Successful exploitation could potentially allow an attacker to take control of the affected system.
Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.
Adobe will address this vulnerability in a release planned for the week of February 5.
For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.
Affected Product Versions
|Adobe Flash Player Desktop Runtime||22.214.171.124 and earlier versions||Windows, Macintosh|
|Adobe Flash Player for Google Chrome||126.96.36.199 and earlier versions||Windows, Macintosh, Linux and Chrome OS|
|Adobe Flash Player for Microsoft Edge and Internet Explorer 11||188.8.131.52 and earlier versions||Windows 10 and 8.1|
|Adobe Flash Player Desktop Runtime||184.108.40.206 and earlier versions||Linux|
To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right- click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.
Beginning with Flash Player 27, administrators have the ability to change Flash Player's behavior when running on Internet Explorer on Windows 7 and below by prompting the user before playing SWF content. For more details, see this administration guide.
Administrators may also consider implementing Protected View for Office. Protected View opens a file marked as potentially unsafe in Read-only mode.
|Vulnerability Category||Vulnerability Impact||Severity||CVE Number|
|Use-after-free||Remote Code Execution||Critical||CVE-2018-4878|
South Korea’s Internet & Security Agency (KISA) has issued an alert for a zero-day vulnerability in Flash Player that has reportedly been exploited in attacks by North Korean hackers.
Few details have been provided, but KISA says the vulnerability affects Flash Player 220.127.116.11 and earlier. Version 18.104.22.168 is the latest, released by Adobe in January as part of the Patch Tuesday updates.
Researchers uncover an innocent software update that's really a cover for espionage.
January 9th, 2018 By Danny Palmer
A state-sponsored hacking operation is targeting diplomats, using a new attack that bundles malware with a legitimate software update.
Uncovered by researchers at ESET, the attacks are targeting embassies and consulates in eastern European post-Soviet states and have been attributed to Turla, a well-known advanced persistent threat group.
The hacking operation has a history of targeting government and diplomatic bodies using watering-hole attacks and spear-phishing campaigns, which often involve the use of false Flash downloads, to infiltrate victim's systems. Researchers note that some private companies have been infected, but that they're not the main targets of the campaign.