Adobe Flash Player is a widely distributed multimedia and application player used to enhance the user experience when visiting webpages or even reading email messages.
A new critical vulnerability has been discovered in Adobe Flash Player which could allow for arbitrary code execution. Depending on the privileges associated with this application, an attacker could then install programs; view changes or delete data.
While Adobe Flash is slowly being replaced by HTML5, there is still a lot of content which relies upon Adobe Flash therefore there is still a large install base of Flash Player and this vulnerability is likely to be relevant to most organisations.
Adobe Flash Player is routinely found to contain serious security vulnerabilities, and after the core operating system it is one of the most important software packages to keep up to date, along with web browsers.
Tactics, Techniques and Procedures
There are two likely methods which will be used to compromise systems using these vulnerabilities:
- In a web-based attack: Attackers host a
webpage which exploits the vulnerabilities. The attacker cannot push users to
visit their websites, but instead creates ways to lure their victims to access
them. This can include:
- Phishing emails containing a link to an infected web page
- Compromising a legitimate web page with exploit
- Through methods such as Cross Site Scripting on forum type sites
- Following a compromise of the target website
- Compromising the supply chain of the website to include exploits in external scripts such as advertising
- Using a malicious .SWF file: The vulnerability exists due to a the ‘Use After Free’ error when processing .SWF files. In this method the remote attacker will create a specially crafted .SWF file and use social engineering to convince an end user to open it. As soon as the file been opened , it will trigger the use after free error and execute the arbitrary code on the target machine with the privileges of the current user has.
|Vulnerability Impact||Severity||CVE Number|
|Arbitrary Code Execution||Critical||CVE-2019-7845|
Table 1 – Vulnerability Details
- Adobe Flash Player Desktop Runtime, Windows, MacOS and Linux, 22.214.171.124 and earlier Version.
- Adobe Flash Player for Google Chrome, Windows, MacOS, Linux and Chrome OS, 126.96.36.199 and earlier Version.
- Adobe Flash Player for Microsoft Edge and Internet Explorer 11, Windows 10 and 8.1, 188.8.131.52 and earlier Version
Invinsec recommends the following activities:
- Update Adobe Flash Player desktop runtime for Windows, MacOS and Linux update to Adobe Flash Player 184.108.40.206
- Run all software as a non-privilege user to reduce the impact of successful exploitation
- Provide end user security awareness including the risks associated with phishing emails and how to spot these
- Consider removing highly vulnerable software such as Adobe Flash from base “gold” images to reduce exposure where they are not needed