Adobe has released an emergency security update for its Flash Player software to fix an actively-exploited arbitrary code execution (ACE) vulnerability, with Microsoft deeming it severe enough to issue an out-of-band update via Windows Update.
Originally launched as FutureSplash and designed by FutureWave as a competitor to Macromedia's Shockwave rich-media platform, Flash received its current name in 1996 after Macromedia acquired FutureWave before being acquired itself by Adobe in 2005. Designed to offer interactive rich media within web browsers via the use of a Flash Player plug-in, the software filled a gap which has since been overtaken via native functionality including HTML5 - and, unfortunately, introduced a wealth of security holes which Adobe has spent the last decade or so attempting to patch out, while simultaneously issuing a roadmap to the technology's retirement.
The company's latest Flash security update, which covers the Flash Player Desktop Runtime for Windows, macOS, and Linux systems, the Adobe Flash Player built in to Google's Chrome browser, and the one built into Microsoft's Edge and Internet Explorer browsers, is yet another in a lengthy string of issues relating to allowing websites to execute arbitrary code - effectively allowing any site with the permission to run Flash content to run any other code, including malware, in the same context as the browser's user.
It's a flaw Adobe has marked as critical, and one that has prompted Microsoft to issue an out-of-band update for affected Windows systems. Where Microsoft typically reserves all patches, including security updates, for its monthly Patch Tuesday release cycle, the Flash update is being distributed now via Windows Update with the recommendation that users install it as soon as possible in order to avoid exploitation.
Anyone running Adobe Flash Player versions prior to 18.104.22.168 are advised to upgrade at their earliest convenience regardless of operating system, though Adobe advises that the security model used by Linux reduces the severity of the Flash Player Desktop Runtime to level three from Windows' and macOS' level one. More information can be found on Adobe's security advisory.
January 24 2020 | 12:00