Adobe is warning of a critical vulnerability in its Flash Player application for users on Windows, macOS, Linux and ChromeOS operating systems.
The vulnerability is the only flaw released this month as part of Adobe’s regularly scheduled patches (markedly less than the 18 flaws addressed during its September regularly scheduled fixes). However, it’s a critical bug (CVE-2020-9746), and if successfully exploited could lead to an exploitable crash, potentially resulting in arbitrary code execution in the context of the current user, according to Adobe.
“As is typically the case for Flash Player vulnerabilities, web-based exploitation is the primary vector of exploitation but not the only one,” according to Nick Colyer, senior product marketing manager with Automox, in an email. “These vulnerabilities can also be exploited through an embedded ActiveX control [a feature in Remote Desktop Protocol] in a Microsoft Office document or any application that uses the Internet Explorer rendering engine.”
The issue stems from a NULL pointer-dereference error. This type of issue occurs when a program attempts to read or write to memory with a NULL pointer. Running a program that contains a NULL pointer dereference generates an immediate segmentation fault error.
Affected are versions 126.96.36.1993 and earlier of Adobe Flash Desktop Runtime (for Windows, macOS and Linux); Adobe Flash Player for Google Chrome (Windows, macOS, Linux and Chrome OS) and Adobe Flash Player for Microsoft Edge and Internet Explorer 11 (Windows 10 and 8.1).
A patch is available in version 188.8.131.525 across all affected platforms (see below). Adobe ranks the patch as a “priority 2,” meaning that it “resolves vulnerabilities in a product that has historically been at elevated risk” – however, there are currently no known exploits.
Flash is known to be a favorite target for cyberattacks, particularly for exploit kits, zero-day attacks and phishing schemes. Of note, Adobe announced in July 2017 that it plans to push Flash into an end-of-life state, meaning that it will no longer update or distribute Flash Player at the end of this year. In June, with Flash Player’s Dec. 31 kill date quickly approaching, Adobe said that it will start prompting users to uninstall the software in the coming months.
Adobe recommends that users update their product installations to the latest versions using the instructions referenced in the bulletin. As a security best practice, remediation of commonly exploitable or recurring threat vectors is always strongly encouraged, Colyer said.
“For organizations that cannot remove Adobe Flash due to a business-critical function, it is recommended to mitigate the threat potential of these vulnerabilities by preventing Adobe Flash Player from running altogether via the killbit feature, set a Group Policy to turn off instantiation of Flash objects, or limit trust center settings prompting for active scripting elements,” said Colyer.
On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.