UPDATE 3/14/2018: On March 13, 2018, multiple vulnerabilities were announced for Adobe Flash Player versions 28.0.0.161 and earlier. The vulnerabilities could allow for remote code execution (CVE-2018-4919, CVE-2018-4920).
Background
Due to ongoing, frequent vulnerabilities in Adobe Flash, this bulletin will be updated when new critical vulnerabilities are announced. No additional bulletins will be issued related to this software title.
Impact
If successfully exploited and depending on the privileges of the current user, the vulnerabilities could allow an attacker to install programs; view, change, delete data; and create accounts with full user rights.
Platforms Affected
- Adobe Flash Player Desktop Runtime for Windows, Macintosh, and Linux.
- Adobe Flash Player for Google Chrome.
- Adobe Flash Player for Microsoft Edge and Internet Explorer 11.
Local Observations
Those managing systems that are not part of Unified Device Management and are not using Secunia's CSI and a local WSUS server should update Flash to the latest version.
UISO Recommendations
- Uninstall Flash, or Disable flash until needed.
- Enable Flash click-to-play in your browser.
- Update Flash to the latest version.
- Only open attachments from trusted senders. As a sender: When appropriate, consider using Box or some other collaborative technology to share file attachments rather than sending them through email.
- Consider digitally signing email in order to help recipients distinguish between mail legitimately sent by you and fakes; this helps users know when to distrust attachments.
- Enable auto-updates to limit the exposure time to any Flash vulnerability
- Apply the Principle of Least Privilege to all systems and services.