Two Critical Security Flaws Patched in Adobe’s Flash Player
Adobe Flash Player may be dead in a few years, but the company has to continue fixing whatever security disasters it can until then. In the latest Patch Tuesday, Adobe has fixed only two vulnerabilities in Flash Player this month. While a significant jump down from the usual 50+ vulnerabilities that Adobe regularly sends fixes for, both the currently patched flaws could be exploited for remote code execution.
Rated critical, the Flash Player vulnerabilities are tracked as CVE-2017-11281 and CVE-2017-11282 and were discovered by Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero, respectively.
The security flaws fixed today are both caused by memory corruption issues. The company has said that there is no evidence that these flaws have been exploited in the wild. “Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS,” the company wrote in today’s security bulletin. “These updates address two critical memory corruption vulnerabilities that could lead to code execution.”
Adobe has also released patches for vulnerabilities in RoboHelp for Windows, its help authoring tool. The flaw could be exploited for cross-site scripting (XSS) attacks, and another is a moderate-severity unvalidated URL redirect issue that could be leveraged for phishing attacks. The company has credited Reynold Regan of the Center for Technology & Innovation in Chennai (CNSI) for reporting these vulnerabilities to the company. Apart from this, Adobe has also released security patches to flaws in ColdFusion 11 and 2016 to address a critical XML parsing vulnerability and an XSS flaw that could potentially lead to information disclosure.
Adobe will be putting to Flash Player to its death-bed by the end of 2020, retiring the product for better and more secure technologies. “Open standards like HTML5, WebGL and WebAssembly have matured over the past several years, most now provide many of the capabilities and functionalities that plugins pioneered and have become a viable alternative for content on the web,” the company wrote. “In collaboration with several of our technology partners – including Apple, Facebook, Google, Microsoft and Mozilla – Adobe is planning to end-of-life Flash.”
The technology that powered the web for decades will be retired at the end of 2020. Until then make sure your Flash Player is updated to the latest to avoid any security issues.