CVE-2020-9753

Vulnerability

The Whale Browser Installer prior to version 2.6.88.19 does not perform signature verification when downloading or installing the Adobe Flash Player component [1]. This omission means the installer trusts any Flash installer it receives without validating its authenticity or integrity, leaving the update process vulnerable to substitution attacks.

Exploitation

An attacker with a network position capable of intercepting or redirecting the installer's update traffic (e.g., via a man-in-the-middle attack or compromised update channel) can replace the legitimate Flash installer with a malicious executable. No additional authentication or user interaction beyond the normal installation flow is required; the victim simply runs the Whale Browser Installer, which then fetches and executes the attacker-supplied payload.

Impact

Successful exploitation allows the attacker to execute arbitrary code on the victim's system with the privileges of the user running the installer. This can lead to full compromise of the affected machine, including data theft, installation of malware, or further lateral movement within a network.

Mitigation

Users should update the Whale Browser Installer to version 2.6.88.19 or later, which includes proper signature verification for the Flash installer [1]. No workaround is available for earlier versions; the only effective mitigation is to apply the update.