Adobe said that the vulnerability (CVE-2018-4878) is being exploited in the wild to deliver “limited, targeted attacks against Windows users,” allowing the attacker to take control of the system. However, it also affects macOS, ChromeOS, Linux users running the following software (v188.8.131.52 and below):
- Adobe Flash Player Desktop Runtime (Windows, Macintosh)
- Adobe Flash Player for Google Chrome (Windows, Macintosh, Linux, and Chrome OS)
- Adobe Flash Player for Edge and IE 11 (Windows 10, 8.1)
- Adobe Flash Player Runtime (Linux)
The attacks can be performed using web pages with flash content but also via email containing documents with embedded malicious flash content. Adobe has advised that Protected View for Office should be enabled which opens potentially dangerous Office files in read-only mode.
Adobe is yet the issue a security patch that addresses flash player’s remote code execution bug. Users are advised to disable flash player until the update arrives on February 5. The presence of Flash Player is already reducing on websites across the web and Adobe has previously announced its execution date. So, it won’t cause any problems even if users uninstall Flash Player if they don’t use it regularly.
If you have Flash Player running on your system, you can check the version by visiting a web page with Flash content. Right-click on the content and click ‘About Adobe (or Macromedia).’ You can also visit this page to check the same. In Windows 10, you can visit Settings > Apps. Click the Adobe Flash’s entry in the list, and it’ll show the exact version.