Beware: Hackers exploit Adobe’s latest Flash Player vunerabilities
By Partho, Gaea News NetworkThursday, July 23, 2009
Adobe’s impeccable Flash Player is in brown study with the latest version showing up vulnerabilities that might be targeted by the hackers. Researchers have warned that computer jocks can exploit the loopholes in the latest Flash Player to gain complete control over an end users computer. Next time you visit a website playing Flash Player take guard it might be compromised. The exploit can be triggered with the help of malacious PDF files opened by Adobe Reader or using the more conventional technique that requires a 1.1 kilobyte Adobe Flash file to target the vulnerability. Currently, there are small number of attacks, most likely to surge.
According to Paul Royal, principal researcher for Purewire, a company that protects web users against malicious sites, there are just a handful of websites that have suffered the zero-day exploit. The attacks would proliferate once the concept version of the weaponized vulnerability gets published. He predicts,
Once this thing hits Milw0rm you'll see thousands of sites.
Adding to the woes none of the major anti-virus engines were able to detect the poisoned SWF files at the time of writing. Further, some sites serving the malicious, one frame movie have been compromised providing loopholes for the attack.
The second line of attack is rare and involves the use of booby-trapped PDF documents, which triggers the Flash vulnerability once opened, as provided by Purewire and Symantec.
To block this method Adobe Reader has to be prevented from running javascript. But, the user needs to know that it does nothing to prevent them from being compromised by the malicious SWF files.
Two months ago, Adobe vowed to beef up the security of its Reader and Acrobat document application by conducting more testing and compatible schedule of patching. Initially it seemed to be heading towards a good start, but, vulnerabilities in the latest exploits show the shortsightedness of not employing a similar build to Flash Player, which runs on most operating systems including Windows, Mac OS X and Linux
Adobe’s Stance
From what it appears in the bug report on Adobe’s website the defect behind the Flash exploit was reported in December. While the bug was reported to trigger the crash, the report suggested it was reproducible every time.
An analysis of the PDF exploit suggests that the source code was compiled on July 9. This makes it clear that the attacks have been circulating for some weeks now.
Although Adobe’s product security response team has issued a two-sentence advisory that its investigating the reports of venerability in the latest version of both its Reader and Flash application, there was no information on any work-around or a fix.
For a known solution the threat can be mete out using Firefox plugins such as NoScript. However, it not a full proof protection, since any one of your trusted sites might be compromised by the attackers.
July 24, 2009: 7:55 am
Another reason why Adobe needs to open-source *all* of the Flash / RTMP protocol and details, instead of trying to “embrace and extend”: |
StudMantra