The Register reports Adobe released an out-of-band emergency update to patch a security bug in its Flash plug-in. The bug is actively exploited by cybercriminals and the way the attack works reads like a greatest hits album of terrible security, involving not just Flash but also ActiveX and Office:
In its current form, the attack bundles exploit code for the Flash zero-day (a use-after-free() bug) with an ActiveX call that is embedded within an Office document. The attacker delivers the document via a spear-phishing email. ATR noted that some of the samples appear to mimic documents from a Russian medical clinic, though others were not specifically targeted towards any one company or group.
When the target opens the poisoned Doc, the ActiveX plug-in calls up Flash Player to run the attack code. From there, CVE-2018-15982 is exploited and the malware looks to download its real payload; a remote control tool that collects system info, and relays it to a command and control system.