Adobe Fixes Critical Flash Vulnerability with

by Chris Brook on Wednesday November 21, 2018

Contact Us
Free Demo
Chat

Adobe released a security update on Tuesday for Flash Player to resolve a critical vulnerability that could let attackers execute arbitrary code.

If you're one of the few IT or administrative professionals who still manages the deployment of Flash Player, don’t step out that door for Thanksgiving break just yet.

Adobe pushed an out of band patch for the software Tuesday morning to address a critical bug that could lead to code execution. Adobe said that while technical details about the vulnerability are publicly available, it's not being publicly exploited yet.

It's the second update to Adobe software this month, the latest after regularly scheduled Patch Tuesday updates to Photoshop CC, Acrobat and Reader, and Flash Player earlier this month.

Adobe warns the vulnerability, a type confusion bug, could lead to arbitrary code execution in the contest of the current user if an attacker was able to successfully exploit it.

Vulnerabilities that lead to type confusion are caused by code that doesn't verify the type of an object that's passed to it - but uses it anyways. As Microsoft in a 2015 Security Response Center blog puts it: "Type confusion can be very dangerous because a type is expressed as a layout of memory in the lower level implementation of Flash Player. Also with type confusion, wrong function pointers or data are fed into the wrong piece of code. In some circumstances this can lead to code execution."

The vulnerability affects version 31.0.0.148 and earlier of Adobe's Flash Player for desktop, Chrome, Edge, and Internet Explorer. Users should update to the latest version 31.0.0.153 across all platforms - Windows - both 10 and 8.1, macOS, Linux, and Linux, to ensure they're protected.

It's unclear exactly who uncovered the bug; Adobe usually thanks a researcher or a group of researchers at the end of each security bulletin but didn’t on Tuesday.

It's likely a researcher named Gil Dabah may have discovered the bug however.

In a blog post last week Dabah said he found the bug and that the issue stemmed from how the interpreter code of Flash's Action Script Virtual Machine (AVM) failed to reset its with-scope pointer when an exception is caught, something that leads to type confusion and in turn, remote code execution.

Dabah thanked Adobe’s security team for reaching out to him and working on a fix last Wednesday.

Tags: Vulnerabilities

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.