CVE-2020-9746
📋 TL;DR
Adobe Flash Player versions 32.0.0.433 and earlier contain a NULL pointer dereference vulnerability that could allow remote code execution. Attackers can exploit this by delivering malicious strings in HTTP responses, typically over TLS/SSL. This affects all users running vulnerable Flash Player versions.
💻 Affected Systems
- Adobe Flash Player
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with arbitrary code execution, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Application crash followed by arbitrary code execution within the Flash Player context, allowing attacker control over the affected system.
If Mitigated
Application crash without code execution if exploit fails or protections block it.
🎯 Exploit Status
Exploitation requires delivering malicious strings in HTTP responses, which attackers can achieve through compromised websites or man-in-the-middle attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 32.0.0.445 or later
Vendor Advisory: https://helpx.adobe.com/security/products/flash-player/apsb20-58.html
Restart Required: Yes
Instructions:
1. Visit Adobe Flash Player download page. 2. Download latest version (32.0.0.445+). 3. Run installer. 4. Restart browser/system. 5. Verify update via Flash Player settings.
🔧 Temporary Workarounds
Disable Flash Player
allCompletely disable Adobe Flash Player in browsers to prevent exploitation.
Browser-specific: Chrome: chrome://settings/content/flash, Firefox: about:addons > Plugins > Shockwave Flash > Never Activate
Edge: edge://settings/content/flash
Block Flash via Group Policy
windowsUse Group Policy to disable Flash Player across enterprise systems.
gpedit.msc > Computer Configuration > Administrative Templates > Windows Components > Adobe Flash Player > Turn off Adobe Flash Player and prevent applications from using it
🧯 If You Can't Patch
- Disable Flash Player entirely in all browsers and applications.
- Implement network filtering to block Flash content (.swf files) at perimeter.
🔍 How to Verify
Check if Vulnerable:
Check Flash Player version in browser: right-click Flash content > About Adobe Flash Player, or visit Adobe's verification page.Check Version:
Windows: reg query "HKLM\SOFTWARE\Macromedia\FlashPlayer" /v CurrentVersion, Linux: dpkg -l | grep flash, macOS: /Library/Internet Plug-Ins/Flash Player.plugin/Contents/version.txtVerify Fix Applied:
Confirm version is 32.0.0.445 or higher via Flash Player settings or Adobe verification page.📡 Detection & Monitoring
Log Indicators:
- Flash Player crash logs with NULL pointer references
- Unexpected Flash Player process termination
- Security software alerts for Flash exploitation attempts
Network Indicators:
- HTTP responses containing unusually long or malformed strings targeting Flash
- Traffic to known malicious domains serving Flash exploits
SIEM Query:
source="*flash*" AND (event_type="crash" OR message="*NULL*" OR message="*dereference*")