|
|
|
April 17th, 2008
dkmnow
| 07:20 am - New Flash-Hack Endangers Most OSes and Browsers
As if Flash Player weren't annoying enough already -- owing only partly to the fact that it's virtually impossible to avoid -- it is now a potential conduit for some of the most lethal security breaches known to the net.
Yay. Thanks again, Adobe.
But sincere thanks to ![[info]](https://www.insanejournal.com/img/userinfo.gif) dogemperor for this warning:
[...]
The reason this is a particularly nasty exploit:
a) It is apparently cross-OS and cross-browser (versions of Flash for IE, Firefox, and Opera are known to be vulnerable under at least Windows, and probably under Linux (include Mozilla-derived browsers like Galeon, Iceape, Iceweasel, etc. to the list as well as (probably) KMeleon) and MacOS X (include Safari in the list). There are in fact indications that this exploit may be usable with any operating system running under x86 processors (all PCs, and all Intel MacOS X boxen) with an Adobe Flash implementation.
b) This particular exploit is very similar to exploits that have been used to drop malware on systems--even worse, it can run arbitrary code at the permissions level associated with Flash. Even various "permissions levels" may not be a fine-grained enough protection (Windows Vista, which otherwise does generally require administrator access to install programs (and implements sudo in possibly the most broken manner ever devised in an operating system, but we won't get into *that* rant :D), is reportedly vulnerable).
c) There is a possibility (not yet fully explored) that some of the flash alternative programs may also have this vulnerability--and one area of research also includes FLV files. (The main programs of concern here would be FLV Player and VLC Media Player, both of which can play FLV "rips" from Youtube natively.)
[....]
This includes Macs running Safari, Firefox, IE, Opera, and more. It may be that PPC Macs (G3, G4, G5) are not affected, as dogemperor's post suggests, but I haven't verified that. Also, just to be safe, I wouldn't count on Flashblock (or equiv.) to protect completely. I'd recommend updating Flash Player anyway, especially if you have an Intel Mac.
From Adobe's April 8, 2008, bulletin:
Summary
Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities. It is recommended users update to the most current version of Flash Player available for their operating system.
Due to the possibility that these security enhancements and changes may impact existing Flash content, content developers are advised to review this March 2008 Adobe Developer Center article to determine if the changes will affect their content, and to begin implementing necessary changes immediately to help ensure a seamless transition.
[...]
Affected software versions
Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier.
[...]
Security bulletin: Flash Player update available to address security vulnerabilities
Check your current version of Flash Player here.
(best to check separately for each browser)
Developer's technical "white paper" [PDF}
We've all seen how well "abstinence only" works. Go get your protection today!
|
|
|
|
|
|
InsaneJournal |