Skip to main content

Adobe Fixes Critical Flash Vulnerability with

by Chris Brook on Wednesday November 21, 2018

Contact Us
Free Demo
Chat

Adobe released a security update on Tuesday for Flash Player to resolve a critical vulnerability that could let attackers execute arbitrary code.

If you're one of the few IT or administrative professionals who still manages the deployment of Flash Player, don’t step out that door for Thanksgiving break just yet.

Adobe pushed an out of band patch for the software Tuesday morning to address a critical bug that could lead to code execution. Adobe said that while technical details about the vulnerability are publicly available, it's not being publicly exploited yet.

It's the second update to Adobe software this month, the latest after regularly scheduled Patch Tuesday updates to Photoshop CC, Acrobat and Reader, and Flash Player earlier this month.

Adobe warns the vulnerability, a type confusion bug, could lead to arbitrary code execution in the contest of the current user if an attacker was able to successfully exploit it.

Vulnerabilities that lead to type confusion are caused by code that doesn't verify the type of an object that's passed to it - but uses it anyways. As Microsoft in a 2015 Security Response Center blog puts it: "Type confusion can be very dangerous because a type is expressed as a layout of memory in the lower level implementation of Flash Player. Also with type confusion, wrong function pointers or data are fed into the wrong piece of code. In some circumstances this can lead to code execution."

The vulnerability affects version 31.0.0.148 and earlier of Adobe's Flash Player for desktop, Chrome, Edge, and Internet Explorer. Users should update to the latest version 31.0.0.153 across all platforms - Windows - both 10 and 8.1, macOS, Linux, and Linux, to ensure they're protected.

It's unclear exactly who uncovered the bug; Adobe usually thanks a researcher or a group of researchers at the end of each security bulletin but didn’t on Tuesday.

It's likely a researcher named Gil Dabah may have discovered the bug however.

In a blog post last week Dabah said he found the bug and that the issue stemmed from how the interpreter code of Flash's Action Script Virtual Machine (AVM) failed to reset its with-scope pointer when an exception is caught, something that leads to type confusion and in turn, remote code execution.

Dabah thanked Adobe’s security team for reaching out to him and working on a fix last Wednesday.

Tags:  Vulnerabilities

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.