Adobe Fixes Critical Flash Flaw

Sunday, November 25, 2018 @ 09:11 PM gHale

Adobe released a Flash Player update that plugs a critical vulnerability that could lead to remote code execution.

The flaw is important enough to the point where the company is urging users to implement the fix as soon as possible.

RELATED STORIES
Out of Band Patch from Adobe
Adobe Fixes Flash, ColdFusion Holes
Patch Tuesday Clears Zero Day
Windows 10 Zero Day Discovered

The flaw, that has the CVE-2018-15981 file number, affects Flash Player 31.0.0.148 and earlier versions on Windows, macOS, Linux and Chrome OS, and details are already publicly available, the company said in an advisory.

CVE-2018-15981 ended up discovered and publicly disclosed by researcher Gil Dabah.

“The interpreter code of the Action Script Virtual Machine (AVM) does not reset a with-scope pointer when an exception is caught, leading later to a type confusion bug, and eventually to a remote code execution,” he said in a post.

“When I found this bug at first, I thought there’s small chance it’s a real bug. Particularly, I had my doubts, because the chances to have a forgotten/dangling with-scope is high in a normal Flash application,” he said. “So how come nobody encountered this bug before as a misbehavior of their app? E.G. by getting a wrong variable, etc. Apparently, the combination to cause this scenario accurately is not that high after all.”

One of the best fixes could be removing Flash Player altogether, since Adobe is planning to end support for it by the end of 2020.



Leave a Reply

You must be logged in to post a comment.