Until recently, researchers had to take Microsoft’s word the vulnerability was severe. Then five researchers from security firm McAfee reported last Tuesday that they were able to exploit the vulnerability and gain remote code execution without any end-user interaction. The post affirmed that CVE-2019-0708, as the vulnerability is indexed, is every bit as critical as Microsoft said it was.
The relevant CVEs1 are:
And from Adobe’s release, the list of vulnerable versions is quite broad:
Affected software versions
- Adobe Flash Player 184.108.40.206 and earlier versions for Windows and Macintosh
- Adobe Flash Player 220.127.116.116 and earlier versions for Linux
- Adobe AIR 18.104.22.1680 and earlier versions for Android
- Adobe AIR 22.214.171.1240 SDK and earlier versions
- Adobe AIR 126.96.36.1990 SDK & Compiler and earlier versions
Essentially, if you didn’t download a new version of Adobe Flash today, you’re probably vulnerable.
Adobe has released security updates for Adobe Flash Player 188.8.131.52 and earlier versions for Windows and Macintosh and Adobe Flash Player 184.108.40.2066 and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of reports that an exploit for CVE-2014-0502 exists in the wild, and recommends users update their product installations to the latest versions.
Common Vulnerabilities and Exposures reference number used by researchers and vendors ↩