Adobe has released a patch for the Flash Player browser plug-in. This is a critical vulnerability that allowed an attacker to perform remote code execution on a system. It’s the third security patch Adobe is releasing for the Player this year, and possibly the last.
The vulnerability is known as CVE-2020-9746. According to Adobe, this is a ‘critical leak’. It is a null pointer dereference vulnerability that occurs when a program writes to memory with a null pointer. In this way it is possible to perform arbitrary code execution, Adobe writes.
The vulnerability is in the browser plug-in and the desktop software. These are versions older than 126.96.36.1993, in both the Adobe Flash Desktop Runtime for Windows, macOS and Linux, the browser versions for Chrome and version 188.8.131.527 of Flash for Edge and Internet Explorer 11. Adobe says it has now become a update for the leak. Users receive it automatically, but can also download it manually.
The patch is the third to be released in 2020 for a Flash Player vulnerability. It may also be the last security patch ever for the software. This will be phased out as of January 1, 2021. The software is then end-of-life and will no longer receive security updates.