| Author |
Topic: New flaw in Adobe Flash Player being exploited in the wild |
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 28 May 2008 7:50 am |
|
An unpatched bug in Adobe Systems' Flash Player software is being exploited by online criminals, Symantec reported Monday.
Few details on the bug are available, but the flaw lies in the latest version of the Adobe Flash Player browser plugin, which is widely used by Internet surfers to view animated Web pages. The flaw affects both the recently released Flash Player version 9.0.124 .0 and version 9.0.115.0, according to an advisory posted Monday to Symantec's Security Focus Web site.
Continued investigation reveals that this issue is fairly widespread. Malicious code is being injected into other third-party domains (approximately 20,000 web pages), most likely through SQL-injection attacks. The code then redirects users to sites hosting malicious Flash files exploiting this issue.
Adobe is aware of the reports and is investigating the issue.
<hr>
I will alert you as soon as I learn more details and when a new patched version of Flash Player has been released. In the meanwhile you can protect yourselves by installing the No! Flash plug-in for Internet Explorer, or the NoScript plug-in for Firefox. Read the instructions on those websites to learn how to configure these security toolbars. They can save your ass in the event you happen upon a web page containing hostile codes in Flash files. NoScript also protects against cross site scripting attacks and JavaScript redirect exploits.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 29 May 2008 6:40 am
|
|
There appears to be some confusion regarding this exploit. Symantec is now backing off its claim that this is a new vulnerability. It appears to be aimed at previous versions of Flash Player, such as 9.0.115, rather than the current version - 9.0.124. Furthermore, the exploit succeeded with Flash Player 9.0.124 on a Linux box. It crashed the player on a Windows computer, but did not infect the computer.
The security community is seeing various Flash exploits being used in combination with SQL injection attacks that have compromised thousands of websites. That's why you should always keep up with patches for third party applications that plug into your browsers.
So, if you are surfing the net on a Linux machine and have Adobe Flash Player 9.0.124 installed, you may be at risk. Windows users may or may not be at risk. In any case, Adobe is investigating this and other issues and will release a patched version very soon, when the exact vulnerability becomes known to them.
Adobe is also currently in late beta development of the next generation of Flash Player: version 10. It features support for 3D rendering and other exciting new display modes. I'll keep you posted on its development as it nears a public release date.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 29 May 2008 8:56 am Update: May 29, 2008
|
|
Update from Adobe, on 5/29/2008
UPDATE: This exploit appears to be taking advantage of a known vulnerability, reported by Mark Dowd of the ISS X-Force and wushi of team509, that was resolved in Flash Player 9.0.124.0. We strongly encourage everyone to download and install the latest Flash Player update, 9.0.124.0.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
