- Adobe’s Flash Player was found containing critical vulnerabilities that could lead to Arbitrary Code Execution.
- Two bugs were addressed in the Flash Player 220.127.116.11 release with a priority level 2, while the DLL hijacking bug was assigned a priority level 3 (for Windows OS).
Adobe, on Tuesday, released multiple security updates in the form of patches for Flash Player on Windows, macOS, Linux, and Chrome OS. The update was in reference to the execution vulnerabilities discovered in Adobe Flash Player 18.104.22.168 and DLL files (of Application Manager).
Why it matters: The two flaws, identified as CVE-2019-8070 and CVE-2019-8069, are a use-after-free issue which could have prompted attackers to execute arbitrary code in the context of the targeted user.
Both issues were rated as “critical”. However, Adobe researchers think claim that exploiting these vulnerabilities would prove to be difficult. Hence, a priority rating of 2 (and 3 on Linux systems) was assigned to these vulnerabilities.
Further, Adobe also fixed a DLL hijacking flaw, tracked as CVE-2019-8076, in the installer of the Application Manager. By exploiting this flaw, attackers could gain access to the user system by executing arbitrary code. The vulnerability was classified as “important” and received a priority rating of 3.
“This vulnerability exclusively impacts the installer used with the Adobe Application Manager. CVE-2019-8076 does not impact the existing Application Manager, and there is no action for a customer running earlier versions,” continues the security advisory.
What did Adobe do: For Flash Player 22.214.171.124 release, Adobe released security updates for Adobe Flash Player for Windows, macOS, Linux, and Chrome OS. These updates address critical vulnerabilities in the software.
For the DLL vulnerability, Adobe released a security update for the Adobe Application Manager installer for Windows. This update resolves the insecure library loading issue in the installer.