 |  |  | |  | Education -> Flash security flaws |  |
 | |
| |
This page contains information on flaws and cracks in Adobe Flash Security and Adobe Flash Security Player. It is widely recognized that the design of Adobe's Flash Player is insecure. Many sites provide information on how to make flash files more secure from attack and this article on Flash Security makes for useful reading.
For an up to date list of Adobe Flash security advisories please see Adobe's web site
Adobe Flash Security Flaws and issues - 2010
Hackers attack WOW users using Adobe flash security flaw - January 2010
World of Warcraft users woke up to find themselves banned or have their accounts drained due to Adobe Flash being exploited. A similar indident occured in 2008.
Adobe Flash Security Flaws and issues - 2009
Adobe flash security gets updated with latest bug fixes - December 2009
The update to Flash Player 10.0.42.34 fixed data injection and integer overflow vulnerabilities, patched a pair of memory corruption bugs, plugged a hole in JPEG image parsing and resolved "multiple crash vulnerabilities. It also addressed a bug in the Flash Player ActiveX control for IE that could be used to pilfer information.
Flash flaw puts web sites and users at risk - November 2009
This vulnerability allows the same-origin policy of Adobe Flash to be exploited to allow nearly any site that allows user generated content to be attacked. If a hacker can get a Flash object onto your server, they can execute scripts in the context of your domain and use it to attack the server. Almost everyone using the Internet is vulnerable to a website that allows content to be updated inappropriately which can then launch silent attacks on visitors to those sites.
Upgrading to latest Mac OS downgrades Flash security - September 2009
Apple Mac users are being urged by security company Sophos to upgrade Adobe Flash after installing Snow Leopard, Apple Macs latest operating system. Installing the new OS automatically downgrades the version of Adobe Flash on the users computer putting them at risk of serious flash security vulnerabilities.
80% of Adobe Flash users vulnerable to security attack - August 2009
Security vendor Trusteer said "“Targeting vulnerabilities in these applications is extremely efficient since it enables criminals to target the 99 percent of Internet users using the Flash plugin." Adobe is working to address the problem, but Trusteer says the difficulty is in their update mechanism, which lags industry standards for effectively distributing security patches to the field.
Security compromised by Adobe Flashbug in malicious PDF files - July 2009
On opening the PDF or a web page containing an infected flash file, this exploit will allow malware to be dropped onto the victim's machine. When the exploit fires, it checks the Flash version on the vulnerable computer and, depending on the result, it uses a different .SWF (shockwave) file to take complete control of the machine. Symantec reports that this issue is fairly widespread. Malicious code is being injected into other third-party domains (approximately 20,000 web pages) most likely through SQL-injection attacks. The code then redirects users to sites hosting malicious Flash files exploiting this issue.
Adobe Streamed Flash (FLV) DRM provides little security - May 2009
Adobe added encryption to its proprietary protocol on introducing Flash Media Server 3 in order to prevent the recording of Flash content, and defined RTMPE (RMTP encrypted) for the purpose. A recently published analysis of RTMPE comes to the conclusion that, although the algorithm "provides end-to-end secrecy in exactly the same way that SSL provides end-to-end secrecy, it provides no security and uses no authentication of any kind." Nowhere is a secret key, a password or even a pass phrase required in order to decrypt the content: only a 32-byte hash value plus the size of the SWF file and publicly exchanged information, specifically the last 32 bytes of the first response from the streaming server, are involved.
Adobe's Flash Files Expose Websites to XSS Attacks - May 2009
Vulnerable Adobe flash files can be modified by cyber-criminals to launch XSS and phishing assaults (unaware users can be forwarded to phishing or malicious sites from the legitimate ones), cookie hijacking and theft of users' passwords. Security researchers have also found that flash files could be easily used by criminals to make interference with official sites belonging to government agencies, banks and other reliable organizations.
Fake Flash Site causes major security issue - May 2009
The site prompts a message requesting the user download "a new version of Adobe Flash Player" in order to view a video on the site, but instead installs malware on the users computer.
Flash security issues gain momentum - April 2009
The Sophos 2009 Security Threat Report, warned that hackers are increasingly looking at commonly used browser plugins like Adobe Flash and PDF in their attempts to infect innocent computer users. The report said "The rise in malicious Flash and PDF files can be partly explained by the use of malware construction kits that build web attack pages incorporating booby-trapped code. The inclusion of the Flash and PDF content targets vulnerabilities that have been found in the widely used Adobe browser plug-ins, underlining the importance of keeping these up to date.
Flash security risks with streaming video - April 2009
Video streaming is bad news when it comes to security. Apart from having to have the UDP ports of your firewall left open, there are vulnerabilities in the technology itself. And if that is not enough, there is the obvious matter of the drain on resources which could bring your network to a crawl...
Flash plug-in issue causes malware to invade users computers whilst surfing the web - April 2009
Flash browser plug-ins are used in attacks known as "drive-by downloads" in which malware is surreptitiously downloaded onto a computer while the user is surfing the Internet.
HP provide free flash security tool to help secure flash files - March 2009
HP is providing a free flash security tool that developers can use to check for holes in the Flash applications they write, which can lead to data leaks and other security problems on Web sites. HP SWFScan decompiles Flash applications and searches the code for vulnerabilities and violations of Adobe's best security practices guidelines. The tool works with all versions of Flash.
Flash security issues are mainly due to bad programming - February 2009
With hackers increasingly targeting Web 2.0 sites, knowing how to develop secure Adobe Flash applications can be a difference maker when it comes to avoiding mass compromises.
Adobe Flash Security Security Flaws - 2008
Flash security controls bypassed by latest vulnerability - October 2008
This update addresses previously reported ‘Clickjacking’ issues, enhancement of Flash Player’s interpretation of cross-domain policy files, functionality to further mitigate a potential port-scanning issue, and changes to the Clipboard API that will prevent potential ‘Clipboard attacks’.
Clickjacking issue affects Adobe flash player - October 2008
An attacker could lure the unsuspecting user into clicking on a link that would give the attacker access to the computer’s microphone and webcam without the user’s knowledge.
Adobe updates flash plugin to address previous security vulnerabilites - April 2008
Adobe has again updated its flash player with more security updates as previous vulnerabilities were being actively exploited with users computers attacked by malicious flash files.
Flash plug-in may not be legitimate - 2008
During 2008 Sophos encountered many examples of legitimate blogs and message boards carrying comments which linked to websites pretending to offer adult videos, but which actually demanded a browser plugin upgrade before anything could be seen. The updated fake codec or bogus Flash Player software that the user downloaded was in reality scareware that attempts to frighten the user into purchasing fake security software
Adobe Flash Security Security Flaws - 2007
Flash plug-in security issue leaves computers open to attack - December 2007
An input validation flaw was found in the way Flash Player displayed certain content. It may be possible to execute arbitrary code on a victim's machine if the victim opens a malicious Adobe Flash file.
Critical flash vulnerability enables execution of arbitrary code - July 2007
Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker to take control of the affected system by a malicious SWF file being loaded in Flash Player.
Flash security issue compromises HTTP headers - October 2006
This vulnerability could be exploited by malicious web sites to modify HTTP headers of client requests and conduct HTTP request splitting and cross-site request forgery attacks.
Adobe Flash Security and Adobe Flash Player security. SWF issues, vulnerabilities and flaws. Poor Adobe flash security and flash DRM implementations. | |
| |  | |  |
Home | Products | Purchase | Downloads | Education | Compliance | Our Customers | About Us | News | Support | Related Info  Privacy Policy SITE MAP
|
