| |
ADOBE FLASH PROBLEMS, FLASH PLAYER SECURITY ISSUES, FLASH EXPLOIT & VULNERABILITIES, ADOBE SWF FLAWS
This page contains information on Adobe flash security problems - issues, vulnerabilites, flaws, flash exploit problems, and cracks in Adobe Flash Security and Adobe Flash Security Player. It is widely recognized that the design of Adobe's Flash Player is insecure. Many sites provide information on how to make flash files more secure from attack and this article on Flash Security makes for useful reading.
For an up to date list of Adobe Flash security problems, issues, advisories and bulletins please see Adobe's web site
Programming to avoid Adobe Flash Security problems, exploit issues & flaws
If you are developing Adobe flash applications then these articles will help you make your flash applications more secure by showing you what measures you can implement to avoid malicious data injection, flash exploit problems, cross scripting attacks and other known flash security vulnerabilities.
Top security threats to Flash/Flex applications and how to avoid them - Part 1
Top security threats to Flash/Flex applications and how to avoid them - Part 2
Adobe Flash security vulnerabilities, exploits, issues - 2013
Adobe releases emergency flash security update - Febuary 2013
Adobe has released an unscheduled patch to prevent malware attacks which are being exploited in the wild on OSX and Windows. Malicious SWF content is either delivered in web sites or MS Word files.
Adobe Flash security issues, SWF vulnerabilities & exploits - 2012
Adobe fixes 25 flash security vulnerabilities - October 2012
Adobe's updates are described in Security Bulletin APSB12-22. The fixes cover 25 separate vulnerability disclosures.
The Microsoft update is Security Advisory 2755801, which references a support document covering "vulnerabilities in Adobe Flash Player in Internet Explorer 10 (KB2758994)."
Adobe flash player security hit by fake apps - August 2012
Following the announement from Adobe to drop Flash player for mobile devices, scammers cashed in on the removal of Flash Player from the Google Play app store by creating fake or pirated versions of the Flash Player app containing adware and trojans and distributing them on third-party sites.
Adobe patches seven critical flash vulnerabilites - June 2012
The flaws included memory corruption, integer and stack overflow, and security bypass bugs such as DLL load hijacking.
Emergency flash security patch fixes latest Adobe flash player vulnerability - May 2012
Adobe's latest flash security fix fixes the most recent Flash Player vulnerability being exploited in active targeted attacks. Users are tricked into clicking on a malicious file delivered in an email message in order for hackers to gain control over their computers.
Critical flash security update for hacker vulnerability - March 2012
Adobe has released a security update for Adobe Flash. The update fixes two problems – the first is a memory corruption vulnerability in Matrix3D that could lead to unauthorized code execution. The second vulnerability patched is an integer error that can lead to information disclosure.
Adobe releases flash security patch for critical vulnerability - February 2012
Adobe's latest flash security patch fixes a zero-day cross-site scripting flaw which could be used to take actions on a user's behalf if the user visits a malicious website or clicks on a malicious link delivered in an email message. This flash security vulnerability (CVE-2012-0767) is being exploited in the wild in active targeted attacks.
Adobe Flash problems, player security issues & exploits - 2011
Adobe flash security critical updates for Flash player - November 2011
Adobe have released their latest security patches for flash player that fix several memory corruption, buffer overflow and stack overflow vulnerabilities in Adobe Flash Player which attackers could exploit to cause a crash on the system running Adobe Flash technologies. Adobe say their next flash player version will include automatic updates to ensure security issues are fixed as soon as patches are available.
Flash security vulnerability causes video snooping issue - October 2011
A security bug in Adobe flash player could allow websites to turn on a users camera and microphone without their knowledge. The flaw was first reported in 2008 and fixed by Adobe but a user demonstrated how it could still be exploited on Mac computers today.
Flash security emergency update addresses critical security issues in flash player - September 2011
This flash security update fixes cross-site scripting issues and other critical flash security issues that were reported earlier in the year, most notably the RSA attack which happened when an employee opened a spreadsheet that contained a zero-day exploit which installed a backdoor through an Adobe Flash vulnerability.
Flash security hole opens computers for attack - June 2011
The latest adobe flash security problem enables malware-infested sites to manipulate a users' computer or Android device and run wild with it (access websites, use e-mail, and access applications). Targeted attacks through links in e-mails are spreading the malware further. A flash security fix to stop this problem can be downloaded from Adobe's site.
Flash security flaw causes major problems in Word and Excel - April 2011
The latest flash security exploit enables malious flash code to be inserted into Word documents and Excel spreadsheets, that on opening, send sensitive company information back to hackers. It spreads like a virus by emailing itself to recipients on the companys email list.
Google Chrome offers to help stop Flash security problems - March 2011
Google have extended their flash security sandbox to allow Adobe flash to take advantage of it. Google have also enhanced plug-in security by notifying the user of out-of-date plug-ins that may cause vulnerabilities.
Flash security vulnerabilities affects Microsoft Excel - March 2011
A flash security issue is currently being exploited by hackers by embedding malicious SWF files into Microsoft Excel spreadsheets. These are then emailed to unsuspecting users. All major OS's are affected by this flash security flaw.
USB flash security compromized by major design flaw - February 2011
Secure flash drives manufactured by some of the big brand flash memory-makers can be sent an 'unlock' flag to the devices which makes them unlock without requiring the password. The system is inherently insecure because when the secure flash drive software authenticates the supplied password it sends an 'unlock' flag to the drive (a common 'conditional jump'), which can be patched to unlock the device.
Adobe flash security sandbox bypassed - January 2011
Adobe flash player security has been bypassed by a security researcher who used a file request to a network machine. Adobe flash problems were meant to be minimized by use of the sandbox but the security researcher detailed how this could be easily bypassed by a malicious person.
Adobe Flash Security issues, problems & SWF vulnerabilities - 2010
Google Sandbox Flash to help prevent security issues - December 2010
Starting with the open-source Chromium version for Windows, Adobe's plugin will block off access to certain vital parts of the browser code to prevent some if not most security exploits.
Latest flash security issue enables malicious code execution - November 2010
This latest flash security problem could enable an attacker to take control of a user's entire system and vulnerabilities occur in Flash Player 10.1.85.3 and earlier versions for Windows, Mac, Linux, Solaris and Android.
Latest flash security issue also affects Adobe Acrobat & Reader - October 2010
Secunia ranked the Flash flaw as "extremely critical" and said hackers could use it to compromise systems and execute malicious code.
Adobe fix latest flash security issue ahead of schedule - September 2010
Adobe have responded to industry pressure and released their fix a week early to the crash flaw reported back in June. A security fix for Google Chrome was released 3 days earlier.
Flash security issue - a feeling of Déjà vu strikes again - September 2010
Adobe have announced a flaw in version 10.1.82.76 of their Flash Player which could cause a crash and allow an attacker to take control of the affected computer. This sounds amazing similar to the Flash security issue reported in June... Adobe flash security warning.
Flash security is a major issue for US educational sites - July 2010
The majority of U.S. educational websites are failing to adequately secure pages that contain flash. Many sites are not kept up to date and so remain vulnerable, whilst others have hardcoded login information into their applications. Out of 250 educational sites tested, only 2 had no flash security issues.
Adobe Flash security patch released - July 2010
Adobe have issued earlier than expected a patch to their flash player to fix the critcal vulnerability that allows hackers to take control of users computers.
Adobe flash security warning - June 2010
Adobe Flash player has been exploited yet again. The exploit allows attackers to use maliciously crafted Flash content to crash the Flash player, and potentially take control of the affected computer. The exploit impacts the Mac, Windows, Linux and Solaris versions of Flash Player, and the Mac, Windows and UNIX versions of Adobe Reader and Acrobat.
Hackers attack WOW users using Adobe flash security flaw - January 2010
World of Warcraft users woke up to find themselves banned or have their accounts drained due to Adobe Flash being exploited. A similar indident occured in 2008.
Adobe Flash Security issues, exploit problems and player flaws - 2009
Adobe flash security gets updated with latest bug fixes - December 2009
The update to Flash Player 10.0.42.34 fixed data injection and integer overflow vulnerabilities, patched a pair of memory corruption bugs, plugged a hole in JPEG image parsing and resolved " multiple crash vulnerabilities. It also addressed a bug in the Flash Player ActiveX control for IE that could be used to pilfer information.
Flash flaw puts web sites and users at risk - November 2009
This vulnerability allows the same-origin policy of Adobe Flash to be exploited to allow nearly any site that allows user generated content to be attacked. If a hacker can get a Flash object onto your server, they can execute scripts in the context of your domain and use it to attack the server. Almost everyone using the Internet is vulnerable to a website that allows content to be updated inappropriately which can then launch silent attacks on visitors to those sites.
Upgrading to latest Mac OS downgrades Flash security - September 2009
Apple Mac users are being urged by security company Sophos to upgrade Adobe Flash after installing Snow Leopard, Apple Macs latest operating system. Installing the new OS automatically downgrades the version of Adobe Flash on the users computer putting them at risk of serious flash security vulnerabilities.
80% of Adobe Flash users vulnerable to security attack - August 2009
Security vendor Trusteer said "Targeting vulnerabilities in these applications is extremely efficient since it enables criminals to target the 99 percent of Internet users using the Flash plugin." Adobe is working to address the problem, but Trusteer says the difficulty is in their update mechanism, which lags industry standards for effectively distributing security patches to the field.
Security compromised by Adobe Flashbug in malicious PDF files - July 2009
On opening the PDF or a web page containing an infected flash file, this exploit will allow malware to be dropped onto the victim's machine. When the exploit fires, it checks the Flash version on the vulnerable computer and, depending on the result, it uses a different .SWF (shockwave) file to take complete control of the machine. Symantec reports that this issue is fairly widespread. Malicious code is being injected into other third-party domains (approximately 20,000 web pages) most likely through SQL-injection attacks. The code then redirects users to sites hosting malicious Flash files exploiting this issue.
Adobe Streamed Flash (FLV) DRM provides little security - May 2009
Adobe added encryption to its proprietary protocol on introducing Flash Media Server 3 in order to prevent the recording of Flash content, and defined RTMPE (RMTP encrypted) for the purpose. A recently published analysis of RTMPE comes to the conclusion that, although the algorithm" provides end-to-end secrecy in exactly the same way that SSL provides end-to-end secrecy, it provides no security and uses no authentication of any kind." Nowhere is a secret key, a password or even a pass phrase required in order to decrypt the content: only a 32-byte hash value plus the size of the SWF file and publicly exchanged information, specifically the last 32 bytes of the first response from the streaming server, are involved.
Adobe's Flash Files Expose Websites to XSS Attacks - May 2009
Vulnerable Adobe flash files can be modified by cyber-criminals to launch XSS and phishing assaults (unaware users can be forwarded to phishing or malicious sites from the legitimate ones), cookie hijacking and theft of users' passwords. Security researchers have also found that flash files could be easily used by criminals to make interference with official sites belonging to government agencies, banks and other reliable organizations.
Fake Flash Site causes major security issue - May 2009
The site prompts a message requesting the user download "a new version of Adobe Flash Player" in order to view a video on the site, but instead installs malware on the users computer.
Flash security issues gain momentum - April 2009
The Sophos 2009 Security Threat Report, warned that hackers are increasingly looking at commonly used browser plugins like Adobe Flash and PDF in their attempts to infect innocent computer users. The report said "The rise in malicious Flash and PDF files can be partly explained by the use of malware construction kits that build web attack pages incorporating booby-trapped code. The inclusion of the Flash and PDF content targets vulnerabilities that have been found in the widely used Adobe browser plug-ins, underlining the importance of keeping these up to date."
Flash security risks with streaming video - April 2009
Video streaming is bad news when it comes to security. Apart from having to have the UDP ports of your firewall left open, there are vulnerabilities in the technology itself. And if that is not enough, there is the obvious matter of the drain on resources which could bring your network to a crawl...
Flash plug-in issue causes malware to invade users computers whilst surfing the web - April 2009
Flash browser plug-ins are used in attacks known as "drive-by downloads" in which malware is surreptitiously downloaded onto a computer while the user is surfing the Internet.
HP provide free flash security tool to help secure flash files - March 2009
HP is providing a free flash security tool that developers can use to check for holes in the Flash applications they write, which can lead to data leaks and other security problems on Web sites. HP SWFScan decompiles Flash applications and searches the code for vulnerabilities and violations of Adobe's best security practices guidelines. The tool works with all versions of Flash.
Flash security issues are mainly due to bad programming - February 2009
With hackers increasingly targeting Web 2.0 sites, knowing how to develop secure Adobe Flash applications can be a difference maker when it comes to avoiding mass compromises.
Adobe Flash problems, Flash player security & exploit issues - 2008
Flash security controls bypassed by latest vulnerability - October 2008
This update addresses previously reported 'Clickjacking' issues, enhancement of Flash Player's interpretation of cross-domain policy files, functionality to further mitigate a potential port-scanning issue, and changes to the Clipboard API that will prevent potential 'Clipboard attacks'.
Clickjacking issue affects Adobe flash player - October 2008
An attacker could lure the unsuspecting user into clicking on a link that would give the attacker access to the computer’s microphone and webcam without the user's knowledge.
Adobe updates flash plugin to address previous security vulnerabilites - April 2008
Adobe has again updated its flash player with more security updates as previous vulnerabilities were being actively exploited with users computers attacked by malicious flash files.
Flash plug-in may not be legitimate - 2008
During 2008 Sophos encountered many examples of legitimate blogs and message boards carrying comments which linked to websites pretending to offer adult videos, but which actually demanded a browser plugin upgrade before anything could be seen. The updated fake codec or bogus Flash Player software that the user downloaded was in reality scareware that attempts to frighten the user into purchasing fake security software
Adobe Flash Security issues, player issues, exploit problems and flaws - 2007
Flash plug-in security issue leaves computers open to attack - December 2007
An input validation flaw was found in the way Flash Player displayed certain content. It may be possible to execute arbitrary code on a victim's machine if the victim opens a malicious Adobe Flash file.
Critical flash vulnerability enables execution of arbitrary code - July 2007
Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker to take control of the affected system by a malicious SWF file being loaded in Flash Player.
Flash security issue compromises HTTP headers - October 2006
This vulnerability could be exploited by malicious web sites to modify HTTP headers of client requests and conduct HTTP request splitting and cross-site request forgery attacks.
Adobe Flash Security issues and Flash Player security probems. SWF issues, flash player issues, vulnerabilities & flaws. Poor Adobe flash security & flash DRM implementations. | |
| |
