David K. March (dkmnow) wrote in macintosh, @ 2008-04-17 07:20:00 |
|
|||
[...]
The reason this is a particularly nasty exploit:
a) It is apparently cross-OS and cross-browser (versions of Flash for IE, Firefox, and Opera are known to be vulnerable under at least Windows, and probably under Linux (include Mozilla-derived browsers like Galeon, Iceape, Iceweasel, etc. to the list as well as (probably) KMeleon) and MacOS X (include Safari in the list). There are in fact indications that this exploit may be usable with any operating system running under x86 processors (all PCs, and all Intel MacOS X boxen) with an Adobe Flash implementation.
b) This particular exploit is very similar to exploits that have been used to drop malware on systems--even worse, it can run arbitrary code at the permissions level associated with Flash. Even various "permissions levels" may not be a fine-grained enough protection (Windows Vista, which otherwise does generally require administrator access to install programs (and implements sudo in possibly the most broken manner ever devised in an operating system, but we won't get into *that* rant :D), is reportedly vulnerable).
c) There is a possibility (not yet fully explored) that some of the flash alternative programs may also have this vulnerability--and one area of research also includes FLV files. (The main programs of concern here would be FLV Player and VLC Media Player, both of which can play FLV "rips" from Youtube natively.)
[....]
Summary
Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities. It is recommended users update to the most current version of Flash Player available for their operating system.
Due to the possibility that these security enhancements and changes may impact existing Flash content, content developers are advised to review this March 2008 Adobe Developer Center article to determine if the changes will affect their content, and to begin implementing necessary changes immediately to help ensure a seamless transition.
[...]
Affected software versions
Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier.
[...]