Adobe has issued security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS after another active exploitation of a zero-day vulnerability in Adobe Flash via a Microsoft Office document was identified.
The critical vulnerability (CVE-2018-15982) exists in the wild and could lead to arbitrary code execution and privilege escalation, according to the advisory.
According to Gigamon’s applied threat research team, the vulnerability “allows for a maliciously crafted Flash object to execute code on a victim’s computer, which enables an attacker to gain command line access to the system. The document was submitted to VirusTotal from a Ukranian IP address and contains a purported employment application for a Russian state healthcare clinic.”
Adobe Flash makes up 10 of the top 20 application vulnerabilities that impact the most businesses, with 79% of those vulnerabilities being rated high severity and having public exploits available, according to Tenable’s recently published Vulnerability Intelligence Report. In addition, when looking at affected enterprises and assets, Microsoft .Net and Office, Adobe Flash and Oracle’s Java have the most widespread impact.
Even more alarming, the report noted that Tenable discovered considerable amounts of known – but unpatched – Oracle Java, Adobe Flash, Microsoft IE and Office vulnerabilities in enterprise environments, going back over a decade.
“Exploits against zero-day vulnerabilities that allow for command execution using relatively stock enterprise software are valuable. Flash exploitation can be expected to continue as long as there are valid weaponization vectors that permit reliable execution,” Gigamon wrote.
As many experts look to 2019 in anticipation of what is to come, they warn that there will be an increase in cyberattacks. The Information Security Forum (ISF) has announced the top global security threats that businesses will face in 2019. Among them is the increased sophistication of cybercrime and ransomware.
Yet when companies leave known vulnerabilities unpatched for the better part of a decade, cyber-criminals don’t need to advance their tactics and procedures to spread targeted attacks, particularly when organizations don't understand their risk. According to the Tenable report, the Common Vulnerability Scoring System is an inadequate prioritization metric, and companies must prioritize vulnerabilities based on actual risk.