Adobe has issued a patch for its Flash Player software, fixing a critical bug that would have allowed attackers to remotely execute malicious code.
The company labels it as a “type confusion” vulnerability. That means that Flash Player could run a piece of code without verifying what type it is. If an unpatched version of Flash is running, an attacker could trick users into visiting a website hosting malicious code that could then run on the user’s Flash Player, as explained in a security advisory issued by Microsoft.
According to SecurityWeek, the bug was originally reported by Israeli researcher Gil Dabah, who described it in a blog post on Nov. 13. It’s not clear why he disclosed publicly if a patch wasn’t ready, or why there was a week between his disclosure and the release of a patch. Adobe does not credit Dabah in its alert.
Adobe Flash can be installed on a desktop and is embedded in major web browsers, so users should check any version of it running on their systems to make sure it is up-to-date.
Adobe has said that it will discontinue support for Flash by the end of 2020, as will several major companies that run it on their products. Flash has long been derided in the cybersecurity community as one of the most risk-prone pieces of widely used software.