Adobe may indeed be thinking about phasing out Flash Player, and updates like today’s monster security bulletin will only serve to fuel that movement going forward.
Released just an hour before Microsoft’s scheduled Patch Tuesday release, Adobe pushed out a new version of the maligned Flash Player that addressed 79 CVEs. None of the patched vulnerabilities, Adobe said, are being exploited publicly.
Most of the vulnerabilities (56) are use-after-free flaws that could lead to code execution on the compromised machine.
Adobe said version 18.104.22.168 and earlier for Windows and Macintosh are affected for the desktop version of Flash. Adobe also released an update for Google Chrome and Microsoft’s Edge browser, as well as Internet Explorer 10 and 11.
In addition to the dozens of use-after-free vulnerabilities, Adobe also patched a dozen memory corruption vulnerabilities, two heap buffer overflows, stack, integer and buffer overflow vulnerabilities, in additional to security bypass flaws and a type confusion vulnerability.
This is one of the largest Adobe Flash updates in months; September’s scheduled update included patches for 23 vulnerabilities.
Last week, Adobe announced that it was beginning to move developers away from Flash and onto HTML5 for dynamic web content. The strategic change was heralded by security professionals weary of Flash constantly being targeted by criminals and state actors alike. The company announced that it will early next year rename Flash Professional CC to Animate CC, and deemed it Adobe’s preferred tool for developing HTML5 content. In the meantime, Adobe said it will continue to provide technical and security support for Flash.
“The key message is this is not going away any time soon,” said Mike Hanley, program manager R&D and Duo Security. “At best, this is a recognition that there is a future where Flash will no longer be a dominant platform on the web, but with no clear timeline or planned deprecation schedule, many legacy applications and web content will continue to rely on historically problematic platforms like Flash to get the broadest possible adoption for years to come.”