A patch released Tuesday by Adobe fixes a critical confusion vulnerability, CVE-2018-4944, found in all Flash Player versions up to 18.104.22.168.
A confusion vulnerability, which means the application isn't properly inspecting data it gets from other applications, “can allow for arbitrary code execution, as is the case with this vulnerability,” said Allan Liska, threat intelligence analyst at Recorded Future. “This means an attacker can use the vulnerability to execute remote code, usually a loader of some sort, on the victim's machine.”
While Adobe resolved only one CVE, “it is rated as Critical,” said Gill Langston, director of product management, patching, at Qualys, “Flash Player is still a high profile target on end user systems. It is always recommended as a high priority.”
The company urged users to upgrade to Adobe Flash Player 22.214.171.124.