Adobe Patches Critical Code Execution Vulnerability in Flash Player

Adobe has patched a critical arbitrary code execution vulnerability in Flash Player. This is the only bug fixed by the software giant this Patch Tuesday.

The vulnerability, tracked as CVE-2020-9746, has been described as a NULL pointer dereference issue.

“Successful exploitation could lead to an exploitable crash, which could result in the execution of arbitrary code in the context of the current user,” Adobe explained in its advisory.

The company noted that exploiting the vulnerability requires the attacker to insert malicious strings into an HTTP response that is delivered by default over TLS, making it difficult to carry out an attack.

Adobe patched CVE-2020-9746 with the release of Flash Player 32.0.0.445 for Windows, macOS, Linux, and Chrome OS.

The company says there is no evidence that the vulnerability has been exploited for malicious purposes, and although the bug has been classified as critical, Adobe has assigned it a priority rating of 2, meaning it does not expect it to be exploited in the short term. .

“As is often the case with Flash Player vulnerabilities, web-based exploitation is the main vector of exploitation, but not the only one. These vulnerabilities can also be exploited by an ActiveX control embedded in a Microsoft Office document or any application that uses the IE rendering engine, “Nick Colyer, senior manager of product marketing at Automox, told SecurityWeek.

Colyer added: “As a security best practice, remediation of recurring or commonly exploitable threat vectors is always strongly recommended. For organizations that cannot remove Adobe Flash due to a business-critical function, it is recommended to mitigate the threat potential of these vulnerabilities by preventing Adobe Flash Player from running entirely through the killbit function, set a Group Policy to disable instantiation of Flash objects. or limit the configuration of the trust center requesting active scripts. “

Flash Player will end support on December 31 and will no longer receive security updates. Browser makers have started to take action and Microsoft recently announced that Flash will be removed from the new Edge browser in January 2021.

Featured Image: wccftech

Source: SecurityWeek

Also Read | Microsoft Took Down 94% Of Trickbot Servers

Leave a Comment