Trending CVEs for the Week of January 21st, 2019

CVE-2018-15982 is a use after free zero-day vulnerability in Adobe Flash Player (versions up to which can result in arbitrary code execution. The vulnerability was disclosed by Adobe in early December, when security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS were released. These updates addressed this critical (Adobe rating) vulnerability in Adobe Flash Player along with a related important (again, Adobe rating) privilege escalation vulnerability in Adobe Flash Player installer (CVE-2018-15983).  Both vulnerabilities were published in the NVD on 01/18/2019, where they are currently awaiting analysis (CVSS score not assigned as of Jan 23rd, 2019).

At the time of the  Adobe Security Bulletin release, Adobe was “aware of reports that an exploit for CVE-2018-15982 exists in the wild.” More recently, as detailed in reports by Malwarebytes and the Bleeding Computer, security researcher Kafeine  discovered that the new and improved version of the Fallout Exploit Kit makes use of this vulnerability. The exploit kit was discovered in August 2018 and takes advantage of flaws in Adobe Flash Player and Microsoft Windows. Fallout has been known to deliver Kraken Cryptor and GrandCrab ransomware. It is currently being distributed by malvertising campaigns through Popcash, TrafficShop, RevenueHits, and others. It is the second exploit kit to add support for CVE-2018-15982, after Underminer.

Adobe Flash has been a well-known threat for years – so much so, Adobe plans to discontinue Flash by the end of 2020. Others have also taken steps to protect against flaws in Flash, with Google’s Chrome leading this effort. By default, Chrome won’t load Flash plugins and requires users to click to enable the plugin manually. Later this year, Chrome will disable Flash in settings and by 2020 will remove it from the popular browser altogether.

Overall, the safest step towards protecting against Flash exploits is to enable ‘click-to-run’ for Flash objects, or disable Flash altogether.

More details:

Adobe Security Bulletin

Bleeping Computer Report

Malwarebytes Report