Quiz – what’s the one plugin that your web browser probably uses that most cyber security professionals would like to see disappear from the face of the earth? If you answered Adobe Flash player, you are right! For years flash player provided important functionality that standard HTML based web browsers could not. With the advent of HTML5, that started to change. However, there are still a large number of old web sites that depend on flash player to render properly and thus many sysadmins and developers have chosen to keep flash player in their builds so as not to break legacy web sites. Unfortunately, continuing to carry flash forward is endangering cyber security for many people and organizations.
Let’s cut to the chase – Adobe released a security advisory on November 8 outlining the security vulnerability. If you are running flash version 22.214.171.124 and earlier, then you are vulnerable. Check here to see what version of flash you are running. If you are running 126.96.36.199 or earlier, then upgrade your flash player (or chrome web browser which has flash built-in) right away!
The Adobe security advisory is actually a roll-up of a number of critical flash player bugs – 9 to be precise. Each of the 9 vulnerabilities allows a remote attacker to potentially execute arbitrary code on an impacted system. The level of complexity required to initiate an attack is minimal, with attackers likely accessing systems remotely. Each of the vulnerabilities is ranked as a critical bug.
Use-after-free vulnerabilities depend on poorly coded memory management functions. In a nutshell, if a portion of memory is freed and then seeded with malware, an attacker can then execute arbitrary commands.
The CVEs issued related to this patch roll-up are –
Depending on your operating system and browser, flash player updates are available as follows.
|Product||Updated Versions||Platform||Priority rating||Availability|
|Adobe Flash Player Desktop Runtime||188.8.131.52||Windows and Macintosh||1||Flash Player Download Center|
|Adobe Flash Player for Google Chrome||184.108.40.206||Windows, Macintosh, Linux and Chrome OS||1||Google Chrome Releases|
|Adobe Flash Player for Microsoft Edge and Internet Explorer 11||220.127.116.11||Windows 10 and 8.1||1||Microsoft Security Advisory|
|Adobe Flash Player for Linux||18.104.22.1684||Linux||3||Flash Player Download Center|
Happy patching everyone!