Adobe has released a security update for a critical remote code execution vulnerability in Adobe Flash Player that could be exploited by simply visiting a website.
Adobe states that hackers could exploit this vulnerability, tracked as CVE-2020-9746, by inserting malicious strings in HTTP responses when users visit a website.
“Exploitation of CVE-2020-9746 requires an attacker to insert malicious strings in an HTTP response that is by default delivered over TLS/SSL. ”
When successfully exploited, the vulnerability could lead to a crash that allows the attacker to execute commands on a visitor’s computer remotely. These commands would be executed under the security context of the user and would not have administrator privileges.
To resolve this vulnerability, users should install Adobe Flash Player 126.96.36.1995 as soon as possible.
Adobe to stop distributing Flash
Adobe Flash has long been a source of security vulnerabilities that allow attackers to install malware, execute commands, and takeover of computers when visiting malicious websites.
These problems will end soon as Adobe, in coordination with Apple, Microsoft, Google, and Mozilla, is retiring Adobe Flash at the end of the year.
Starting on December 31st, 2020, Adobe will no longer distribute or update Adobe Flash Player, and web browsers will no longer support the Adobe Flash Plugin.
The deprecation of Adobe Flash Player is good news as it will reduce the attack surface of web browsers and operating systems and remove a point of entry that can be exploited by attackers.