Adobe is warning of a critical vulnerability in its Flash Player application for users on Windows, macOS, Linux and ChromeOS operating systems.

The vulnerability is the only flaw released this month as part of Adobe’s regularly scheduled patches (markedly less than the 18 flaws addressed during its September regularly scheduled fixes). However, it’s a critical bug (CVE-2020-9746), and if successfully exploited could lead to an exploitable crash, potentially resulting in arbitrary code execution in the context of the current user, according to Adobe.

“As is typically the case for Flash Player vulnerabilities, web-based exploitation is the primary vector of exploitation but not the only one,” according to Nick Colyer, senior product marketing manager with Automox, in an email. “These vulnerabilities can also be exploited through an embedded ActiveX control [a feature in Remote Desktop Protocol] in a Microsoft Office document or any application that uses the Internet Explorer rendering engine.”

The issue stems from a NULL pointer-dereference error. This type of issue occurs when a program attempts to read or write to memory with a NULL pointer. Running a program that contains a NULL pointer dereference generates an immediate segmentation fault error.

Affected are versions 32.0.0.433 and earlier of Adobe Flash Desktop Runtime (for Windows, macOS and Linux); Adobe Flash Player for Google Chrome (Windows, macOS, Linux and Chrome OS) and Adobe Flash Player for Microsoft Edge and Internet Explorer 11 (Windows 10 and 8.1).

A patch is available in version 32.0.0.445 across all affected platforms (see below). Adobe ranks the patch as a “priority 2,” meaning that it “resolves vulnerabilities in a product that has historically been at elevated risk” – however, there are currently no known exploits.

#vulnerabilities #web security #adobe #adobe flash desktop runtime #cve-2020-9746 #linux #macos #null pointer dereference #patch #patch tuesday #vulnerability #windows