Adobe released a security announcement (APSA18-01) for Adobe Flash Player which confirms a critical security vulnerability (original…) that exists in the Player version 28.0.0.137 but also in previous versions.
Flash Player 28.0.0.137 is the latest version of the application, which means that all installed versions of Flash are affected by the vulnerability.
Affected products:
Adobe Flash Player Desktop Runtime on Windows, Linux and Mac platforms.
Adobe Flash Player for Google Chrome on Windows, Mac, Linux, and Chrome OS platforms.
Adobe Flash Player for Microsoft Edge and Internet Explorer 11 on Windows 8.1 and 10.
Adobe plans to release an update for Flash Player next week, which is supposed to cover the security gaps.
The company has confirmed that vulnerability can be exploited in Windows with Office documents that have built-in malicious Flash content. Of course these documents are distributed by email.
Adobe reports that vulnerability CVE-2018-4878, is already used in limited and targeted attacks against Windows users.
Adobe also states that anyone who wants to be protected should use Protected View to open any read-only Office documents. This is done from the path File - Options and activate the Protected View options under Trust - Trust Center Settings - Protected View.
Everyone who uses flash, it's a good idea to turn it off from your browser, because the attacks you've seen can come through Office documents, but that does not mean they will not turn into attacks that can be done through the web .
Patience, where will it go? Universal disabling of Adobe Flash from all web applications is just coming πως