While Adobe Flash Player updates are par for the course for when it comes to anyone who has used a browser for any length of time, Adobe’s latest security bulletin is recommending that all users update their software due to vulnerabilities. This includes those running GNU/Linux as well as Chrome OS, which itself is based on Gentoo. They’re also encouraging those running the Unix-based macOS to update Flash Player, which may be the result of standard procedure though it’s interesting to note what the vulnerabilities entail.
The newest version of the software, 220.127.116.11, fixes the following critical vulnerabilities:
While ‘4945 is a confusion flaw that allows arbitrary code execution and ‘5002 deals with buffer overflows, ‘5000 and ‘5001 are hypothetically more concerning because they enable possible information disclosure. Linux security experts in particular might find this particularly troublesome since user information privacy tends to be heavily emphasized by those who focus on this field.
The information disclosure exploits involve an integer overflow problem and an attempt to read areas of memory that are out-of-bounds. Both of these exploits were only marked as important rather than critical in the latest security bulletin from Adobe Systems, but they’re sure to receive a good deal of coverage in the GNU/Linux community if nothing else.
Vulnerability ‘5002 is the one Adobe is the most concerned about, since it’s already been used in some limited attacks targeting Windows users. This vulnerability users an Office document to download a remote file to a user’s system and the exploit the Adobe Flash platform.
Since this type of attack seems to be specific to the Windows platform, those running operating systems based on the Linux kernel might find the other vulnerabilities to be more of a concern. There hasn’t been any news of the exploit influencing open-source Office alternatives at this time nor have there been any reports of the exploit causing issues for anyone who has the WINE application layer installed to run Windows software on Linux. Anything that allows a remote user to download a file, however, is rather concerning regardless of which platform a user is running.