posted by Jordan Spencer Cunningham on Mon 27th Jul 2009 20:53 UTC
IconAdobe Flash. It's everywhere. Not all of us want it, but many are forced into submission simply because it's weaseled its way into a myriad of applied and common uses. This just makes all the worse the news that a vulnerability in Adobe Flash, Reader, and Acrobat applications is allowing malcontents to exploit computers with these products installed.

Adobe has confirmed that this vulnerability exists and is currently working to remedy it. As it is, many of the major companies that provide antiviral software have already updated their applications to catch one of the exploits, which said exploit is carried out by way of a PDF file sent in an email; this PDF-equipped email is generally targeted to attack corporations rather than personal accounts.

According to Paul Royal, principal researcher at Purewire, the other type of attack that currently remains unchallenged is merely "a Flash movie of one-frame length. This malicious Flash file is being embedded in Web pages, sometimes of legitimate Web sites that are compromised." According to his research, this multimedia attack's code is just different enough from the PDF attack that it will not be caught by many antiviral programs until a separate package can be designed.

From Adobe: "A critical vulnerability exists in the current versions of Flash Player (v9.0159.0 and v.10.022.87) for Windows, Macintosh and Linux operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v.9x for Windows, Macintosh and Unix operating systems. This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system.". So if you were thinking that you're safe with a Linux-based system or OS X, you're unfortunately incorrect.

This vulnerability has apparently been known about since December of last year, but then it was merely regarded as a bug. It probably began to be exploited around the beginning of July. Still, it'd be nice for known and exploitable bugs to be fixed within a relative time after being found. The good news is that Adobe will have a fix brewed up for most of the exploitable applications by the end of this month.

Not that it's the end of the world and that we ought to shun Flash simply because of this exploit alone, but it's no secret that Flash isn't liked by a lot of people for varied reasons, and this will just amount on top of them. Taking a leaf out of Kroc Camen's book, I suggest that, if this new exploit in the Flash implementation bothers you enough, simply do without. Is the time been long coming for newer, better multimedia implementations? Is this the final straw for you? Should it be the final straw for everyone else, too? Or is it just another storm that'll blow by?

The comments are waiting.

e p (1)    53 Comment(s)

Technology White Papers

See More