Security Advisory - March 13, 2018

Zscaler protects against 2 new vulnerabilities for Adobe Flash Player.

 

 

Zscaler, working with Microsoft through their MAPP program, has proactively deployed protections for the following 2 vulnerabilities included in the March 2018 Adobe security bulletins. Zscaler will continue to monitor exploits associated with all vulnerabilities in the March release and deploy additional protections as necessary.

APSB18-05 – Security updates available for Adobe Flash Player.

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

 Severity: Medium

Affected Software

  • Adobe Flash Player Desktop Runtime 29.0.0.113 and earlier for Windows, Macintosh and Linux
  • Adobe Flash Player for Google Chrome 29.0.0.113 and earlier for Windows, Macintosh, Linux and Chrome OS
  • Adobe Flash Player for Microsoft Edge and Internet Explorer 11 29.0.0.113 and earlier for Windows 10 and 8.1

CVE-2018-4919 – Use After Free vulnerability

This vulnerability is type confusion that causes a dangling reference that leads to a use after free vulnerability in the ActionScript 2 PrintJob functionality. The mismatch between the memory layout of the XMLSocket object and the PrintJob object provides attacker with an unintended memory access, potentially leading to code corruption or control-flow hijack attack. Successful exploitation could lead to arbitrary code execution.

CVE-2018-4920 – Type Confusion vulnerability

This vulnerability is an instance of a type confusion vulnerability in the Primetime SDK module related to ad banner asset functionality. If an attacker can effectively control object of incompatible type, then the computation can result with out of bounds memory reads or write. The out of bounds memory access can lead to code corruption, control-flow hijack, or memory layout disclosure.