UPDATE (February 6, 2018): Today, Adobe released version 220.127.116.11 which fixes the vulnerabilities affecting version 28.0.0137 and earlier. We recommend patches are applied immediately. See updated SA81412. When patching cannot be done soon, consider other mitigation options. More details below.
On February 1, 2018 Secunia Research issued the advisory SA81412, covering a “Extremely Critical”, unpatched vulnerability on Adobe Flash Player 28.x. The advisory was issued on the same day Adobe released the security advisory reporting on the flaw.
According to the Secunia Advisory, this vulnerability (CVE-2018-4878) affects version 18.104.22.168 and prior running on Windows, Macintosh and Linux. The current reports point that this vulnerability is being exploited in limited, targeted attacks against Windows platforms. The successful exploitation of this vulnerability can lead to taking control of the target system.
Adobe has plans to release a fix this week, but the fact that the vulnerability is being exploited in the wild is a warning for users to be alert and take alternative measures to mitigate the risk in the meanwhile. Brian Krebs suggests some options in his blog on the topic.
We recommend implementing the patches as soon as they are available. Organization can already start the process to identify the instances of the vulnerable software, verify dependencies, and plan for rolling out the updates when released.
Customers of Corporate Software Inspector get alerts and can easily identify unpatched vulnerable software and fix them.