The world first knew of Adobe Flash Player on January 1, 1996, when it was released by Macromedia as computer software that’s used for content made on the Adobe Flash platform. 23 years later, this flash player is still used widely around the world for different applications.
But its popularity doesn’t make Adobe Flash Player free from any flaws. Over the years, Adobe has released patches for critical flaws in its Adobe Flash products, and this year is no different. Here’s what we know about Adobe Flash Player’s latest critical update:
A patch for a Flash Player bug has been released
In its regular monthly update, Adobe published a patch for a Flash Player bug tagged as CVE-2019-7845 that was reported anonymously through Trend Micro’s Zero-day Initiative. This flaw was marked critical because it can be exploited greatly by whoever gets their hands on it.
The Flash Player bug is said to affect version 22.214.171.124 and earlier where it allows an attacker to exploit Adobe Flash Player using a malicious website or an ActiveX control.
This bug is also affecting the Flash Player desktop runtime on MacOS, Windows and Linux as well as Microsoft Edge, Google Chrome and IE 11 Flash Player plugins. In a statement released by Dustin Childs with ZDI, he described the flaw as “a use-after-free vulnerability.”
He further explained that: “By performing actions in ActionScript, an attacker can cause a pointer to be reused after it has been freed. An attacker can leverage this vulnerability to executed code in the context of the current process.” To solve this problem, users are urged to update their Adobe Flash Players to version 126.96.36.199, which fixed this bug.
The most severe vulnerability is with Adobe ColdFusion
While there are a total of 11 vulnerabilities found across Adobe’s products, Adobe ColdFusion has the most severe flaws. The company said: “Adobe has released security updates for ColdFusion versions 2018, 2016 and 11. These updates resolve three critical vulnerabilities that could lead to arbitrary code execution.”
These three flaws were later identified as a file extension blacklist bypass glitch (CVE-2019-7838), command injection flaw (CVE-2019-7839) and de-serialization of untrusted data vulnerability (CVE-2019-7840). To solve these vulnerabilities, Adobe released three patches with a priority 1 update rating.
This means that it “resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform,” according to Adobe.
Adobe Campaign is also suffering from vulnerabilities
Aside from Adobe Flash and ColdFusion, Adobe’s Campaign technology is also affected by a critical command injection (CVE-2019-7850), three moderate information disclosure flaws (CVE-2019-7941, CVE-2019-7846, and CVE-2019-7848) and three critical vulnerabilities (CVE-2019-7849, CVE-2019-7847, and CVE-2019-7848).
Adobe Campaign is the company’s product that automates the execution of email, social, mobile and offline campaigns, and these seven vulnerabilities have affected in Adobe Campaign Classic versions 19.1.1-9026 and earlier versions on both Linux and Windows.
Adobe urges its users to update their products immediately to avoid any damages from these vulnerabilities.