Adobe released a security update on Tuesday for Flash Player to resolve a critical vulnerability that could let attackers execute arbitrary code.
If you're one of the few IT or administrative professionals who still manages the deployment of Flash Player, don’t step out that door for Thanksgiving break just yet.
Adobe pushed an out of band patch for the software Tuesday morning to address a critical bug that could lead to code execution. Adobe said that while technical details about the vulnerability are publicly available, it's not being publicly exploited yet.
Adobe warns the vulnerability, a type confusion bug, could lead to arbitrary code execution in the contest of the current user if an attacker was able to successfully exploit it.
Vulnerabilities that lead to type confusion are caused by code that doesn't verify the type of an object that's passed to it - but uses it anyways. As Microsoft in a 2015 Security Response Center blog puts it: "Type confusion can be very dangerous because a type is expressed as a layout of memory in the lower level implementation of Flash Player. Also with type confusion, wrong function pointers or data are fed into the wrong piece of code. In some circumstances this can lead to code execution."
The vulnerability affects version 22.214.171.124 and earlier of Adobe's Flash Player for desktop, Chrome, Edge, and Internet Explorer. Users should update to the latest version 126.96.36.199 across all platforms - Windows - both 10 and 8.1, macOS, Linux, and Linux, to ensure they're protected.
It's unclear exactly who uncovered the bug; Adobe usually thanks a researcher or a group of researchers at the end of each security bulletin but didn’t on Tuesday.
It's likely a researcher named Gil Dabah may have discovered the bug however.
— Gil Dabah (@_arkon) November 13, 2018
In a blog post last week Dabah said he found the bug and that the issue stemmed from how the interpreter code of Flash's Action Script Virtual Machine (AVM) failed to reset its with-scope pointer when an exception is caught, something that leads to type confusion and in turn, remote code execution.
Dabah thanked Adobe’s security team for reaching out to him and working on a fix last Wednesday.
Kudos to @AdobeSecurity for touching base and working on a fix already.
— Gil Dabah (@_arkon) November 14, 2018