Adobe released a patch for a critical flaw on Tuesday that leaves its Flash Player vulnerable to arbitrary code execution by an adversary. Affected are versions of the Flash Player running on Windows, macOS, Linux and Chrome OS.
In tandem, a Microsoft Security Advisory was also issued for the bug (CVE-2018-15981) on Tuesday.
The bug is a type “confusion” vulnerability, which is a common attack technique used against Adobe’s ActionScript Virtual Machine. “Usually, when a piece of code doesn’t verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusion,” according to a Microsoft description of the bug.
Israel-based researcher Gil Dabah is credited for identifying the flaw. The researcher published his finding on the bug November 15, five days ahead of Adobe’s fix.
“The interpreter code of the Action Script Virtual Machine does not reset a with-scope pointer when an exception is caught, leading later to a type confusion bug, and eventually to a remote code execution,” Dabah wrote.
In his technical write-up Dabah further explains:
“In the beginning we load the with-scope with a legit object. We later raise a dummy exception and immediately catch it ourselves. Now, the interpreter will still use the with-object we loaded, although the verifier thinks we don’t use a with-scope anymore, we will query for a member with a certain controlled type from the with-scope again and now use it as an argument for a function or an operand for an instruction that expects something else, and voila we got a type confusion.”
The vulnerability impacts users of the Adobe Flash Player Desktop Runtime for Windows, macOS and Linux running version 220.127.116.11 and earlier. Users are urged to update to Adobe Flash Player 18.104.22.168.
Adobe said it was not aware of any exploits in the wild.
Microsoft’s Security Advisory links to the Adobe patch, but also outlines a workaround. “You can disable attempts to instantiate Adobe Flash Player in Internet Explorer and other applications that honor the kill bit feature, such as Office 2007 and Office 2010, by setting the kill bit for the control in the registry,” Microsoft said.
In its advisory, Adobe links to further information to a Chrome for Android Update post dated November 19. Absent are further details on CVE-2018-15981, however Google does notify users of a high severity use-after-free in GPU flaw (CVE-2018-17479).
Google Chrome, Adobe said, will be updated automatically to Adobe Flash Player 22.214.171.124 for Windows, macOS, Linux and Chrome OS. Windows 10 and 8.1 users of Edge and Internet Explorer 11 will also be automatically updated.
Microsoft said a likely attack would involve an attacker enticing a potential victim into clicking on a malicious link or advertisement to steer them to a booby-trapped website harboring the arbitrary code execution payload.