Adobe has released a security update to address a critical remote code execution flaw in Adobe Flash Player (CVE-2020-9746) that could be exploited by threat actors by tricking the victims into visiting a website.
Attackers could exploit this flaw by simply inserting malicious strings in HTTP responses while unaware users visit a website.
“Adobe has released security updates for Flash Player for Windows, macOS, Linux and Chrome OS. These updates address a critical vulnerability in Flash Player. Successful exploitation could lead to an exploitable crash, potentially resulting in arbitrary code execution in the context of the current user.” reads the security advisory.
“Exploitation of CVE-2020-9746 requires an attacker to insert malicious strings in an HTTP response that is by default delivered over TLS/SSL.”
The exploitation of the flaw could lead to a crash that allows the remote attacker to execute commands on a visitor’s device. These commands would be executed under the security context of the current user and would not have administrator privileges.
Adobe has addressed the flaw with the release of Flash Player 184.108.40.2065, Adobe users have to install it as soon as possible.
Don’t forget that starting on December 31st, 2020, Adobe will no longer distribute or provide updates for its Flash Player.
Experts believe that the move will reduce the risk of web attacks through the users’ browsers. Across the years, threat actors exploited multiple vulnerabilities in the Flash Player.
In June, Adobe has released security updates to address a critical vulnerability in Flash Player for Windows, macOS, Linux, and Chrome OS.
The issue, tracked as CVE-2020-9633, is a user after free vulnerability that could lead to arbitrary code execution in the context of the current user.
(SecurityAffairs – hacking, Adobe)