Quick summary - it's a bug in the PCRE regex engine as used in Flash. Spoiler: it's exploitable. [...]
Below is what happens when we compile a regex that combines the \c escape sequence (which is intended to match a single ASCII character) with a multibyte UTF-8 character. A simple trigger for the bug is '\\c\xd0\x80+', below. [...]
So clearly something has gone wrong... The question is now how to leverage this invalid bytecode to get code execution.
Previously, previously, previously, previously, previously, previously, previously, previously.
Flash has fully taken over Java's role of 'plugin you want to uninstall but need to keep around to access that one old web interface' now hasn't it?
And a few hours after I write that we move to a new courier service that insist on using Java on their website to print the labels automatically. WHY?!
Just a couple years ago, the place I am now a former employee of used an old ADP online app that not only was Java, but required IE6. Alone, neither of those make sense but combined I think it means there's a glitch in the Matrix.
You may need to keep a browser around for some internal shit. Keep it in a VM if possible, and use a proper browser for everything else.