adobe flash security

Adobe Flash Security Problems

Adobe Flash Player Security Issues, Exploit & Vulnerabilities, SWF Flaws

SWF Flash Security issues, Flash DRM vulnerabilities & flaws

Information on Adobe flash security problems – issues, vulnerabilities, flaws, flash exploit problems, and cracks in Adobe Flash Security and Adobe Flash Security Player.  It is widely recognized that the design of Adobe’s Flash Player is insecure.  Many sites provide information on how to make flash files more secure from attack and this article on Flash Security makes for useful reading.

For an up to date list of Adobe Flash security problems, issues, advisories and bulletins see Adobe’s web site.

  Free 15 Day Trial

Protect PDF files from misuse

  • Stop unauthorized access and sharing
  • Control use – stop printing, copying, editing, etc.
  • Lock PDFs to devices, countries, locations
  • User and PDF expiry, revoke files at any time

Adobe to drop support for Flash Player in 2020

Plagued by security issues – malicious data injection, exploit problems, cross scripting attacks and other vulnerabilities, Adobe announced in 2017 that it will discontinue support for the Flash Player plugin in 2020.

Apple announced in 2010 that it would stop using Flash in its mobile products and the industry shifted to using open standards such as HTML5.  HTML5 provides video support without the need for plugins and therefore avoids the security issues and compatibility problems that come with them.

   Adobe Flash security vulnerabilities, exploits, issues

Adobe issues Flash security update for critical security flaw
Adobe launches an update to fix a critical exploit that was actively being used – the exploit allowed for attackers to crash or take control of the host system.

Adobe issues Flash security update
Adobe launches a critical update to their Flash Player, fixing a vulnerability that could cause a crash on the host computer and could allow a 3rd party to connect to and control that computer.

Flash obfuscation been hacked again
Angler Exploit Kit (a program used regularly by attackers) was updated just 3 days after Adobe launched a fix for an exploit it was using. The speed and effectiveness of this display sets a worrying trend for the security community in regards to basic Flash obfuscation.

Adobe issues Flash security update
Adobe released yet more updates to address four security vulnerabilities that affect Flash Player.  There was the usual ones for preventing arbitrary code execution and cross scripting vulnerabilities, and a security bypass vulnerability that could lead to information disclosure.

Adobe fixes critical Flash security flaw
Adobe released an emergency update to its Flash Player to address another vulnerability that is actively being used for remote code execution.

Adobe flash security vulnerabilities patched
Adobe security updates for Flash Player and AIR fix two memory corruption vulnerabilities that could lead to remote code execution.  Adobe said they are not aware of any exploits or attacks that are actively targeting the vulnerabilities fixed in the new flash security updates.

Adobe patches flash vulnerabilities to increase security
Adobe has released new critical updates to Flash player to resolve various memory corruption vulnerabilities that could lead to code execution.

Adobe releases emergency flash security update
Adobe has released an unscheduled patch to prevent malware attacks which are being exploited in the wild on OSX and Windows.  Malicious SWF content is either delivered in web sites or MS Word files.

Fake Flash security update installs banking Trojan
A spam email campaign infects users’ computers with a fake update for Adobe Flash Player which installs the Zeus banking Trojan, and then directs victims’ computers to domains hosting more malicious software.

Adobe fixes 25 flash security vulnerabilities
Adobe’s updates are described in Security Bulletin APSB12-22.  The fixes cover 25 separate vulnerability disclosures.  The Microsoft update is Security Advisory 2755801, which references a support document covering “vulnerabilities in Adobe Flash Player in Internet Explorer 10 (KB2758994).”

Adobe flash player security hit by fake apps
Following the announcement from Adobe to drop Flash player for mobile devices, scammers cashed in on the removal of Flash Player from the Google Play app store by creating fake or pirated versions of the Flash Player app containing adware and trojans and distributing them on third-party sites.

Adobe patches seven critical flash vulnerabilities
The flaws included memory corruption, integer and stack overflow, and security bypass bugs such as DLL load hijacking.

Emergency flash security patch fixes latest Adobe flash player vulnerability
Adobe’s latest flash security fix fixes the most recent Flash Player vulnerability being exploited in active targeted attacks.  Users are tricked into clicking on a malicious file delivered in an email message in order for hackers to gain control over their computers.

Critical flash security update for hacker vulnerability
Adobe has released a security update for Adobe Flash. The update fixes two problems – the first is a memory corruption vulnerability in Matrix3D that could lead to unauthorized code execution. The second vulnerability patched is an integer error that can lead to information disclosure.

Adobe releases flash security patch for critical vulnerability
Adobe’s latest flash security patch fixes a zero-day cross-site scripting flaw which could be used to take actions on a user’s behalf if the user visits a malicious website or clicks on a malicious link delivered in an email message. This flash security vulnerability (CVE-2012-0767) is being exploited in the wild in active targeted attacks.

Adobe flash security critical updates for Flash player
Adobe have released their latest security patches for flash player that fix several memory corruption, buffer overflow and stack overflow vulnerabilities in Adobe Flash Player which attackers could exploit to cause a crash on the system running Adobe Flash technologies. Adobe say their next flash player version will include automatic updates to ensure security issues are fixed as soon as patches are available.

Flash security vulnerability causes video snooping issue
A security bug in Adobe flash player could allow websites to turn on a users camera and microphone without their knowledge.  The flaw was first reported in 2008 and fixed by Adobe but a user demonstrated how it could still be exploited on Mac computers today.

Flash security emergency update addresses critical security issues in flash player
This flash security update fixes cross-site scripting issues and other critical flash security issues that were reported earlier in the year, most notably the RSA attack which happened when an employee opened a spreadsheet that contained a zero-day exploit which installed a backdoor through an Adobe Flash vulnerability.

Flash security hole opens computers for attack
The latest adobe flash security problem enables malware-infested sites to manipulate a users’ computer or Android device and run wild with it (access websites, use e-mail, and access applications). Targeted attacks through links in e-mails are spreading the malware further.  A flash security fix to stop this problem can be downloaded from Adobe’s site.

Flash security flaw causes major problems in Word and Excel
The latest flash security exploit enables malicious flash code to be inserted into Word documents and Excel spreadsheets, that on opening, send sensitive company information back to hackers. It spreads like a virus by emailing itself to recipients on the company’s email list.

Google Chrome offers to help stop Flash security problems
Google have extended their flash security sandbox to allow Adobe flash to take advantage of it.  Google have also enhanced plug-in security by notifying the user of out-of-date plug-ins that may cause vulnerabilities.

Flash security vulnerabilities affects Microsoft Excel
A flash security issue is currently being exploited by hackers by embedding malicious SWF files into Microsoft Excel spreadsheets.  These are then emailed to unsuspecting users.  All major OS’s are affected by this flash security flaw.

USB flash security compromized by major design flaw
Secure flash drives manufactured by some of the big brand flash memory-makers can be sent an ‘unlock’ flag to the devices which makes them unlock without requiring the password.  The system is inherently insecure because when the secure flash drive software authenticates the supplied password it sends an ‘unlock’ flag to the drive (a common ‘conditional jump’), which can be patched to unlock the device.

Adobe flash security sandbox bypassed
Adobe flash player security has been bypassed by a security researcher who used a file request to a network machine.  Adobe flash problems were meant to be minimized by use of the sandbox but the security researcher detailed how this could be easily bypassed by a malicious person.

Google Sandbox Flash to help prevent security issues
Starting with the open-source Chromium version for Windows, Adobe’s plugin will block off access to certain vital parts of the browser code to prevent some if not most security exploits.

Latest flash security issue enables malicious code execution
This latest flash security problem could enable an attacker to take control of a user’s entire system and vulnerabilities occur in Flash Player 10.1.85.3 and earlier versions for Windows, Mac, Linux, Solaris and Android.

Latest flash security issue also affects Adobe Acrobat & Reader
Secunia ranked the Flash flaw as “extremely critical” and said hackers could use it to compromise systems and execute malicious code.

Adobe fix latest flash security issue ahead of schedule
Adobe have responded to industry pressure and released their fix a week early to the crash flaw reported back in June.  A security fix for Google Chrome was released 3 days earlier.

Flash security issue – a feeling of Déjà vu strikes again
Adobe have announced a flaw in version 10.1.82.76 of their Flash Player which could cause a crash and allow an attacker to take control of the affected computer.  This sounds amazing similar to the Flash security issue reported in June…

Flash security is a major issue for US educational sites
The majority of U.S. educational websites are failing to adequately secure pages that contain flash.  Many sites are not kept up to date and so remain vulnerable, whilst others have hardcoded login information into their applications.  Out of 250 educational sites tested, only 2 had no flash security issues.

Adobe Flash security patch released
Adobe have issued earlier than expected a patch to their flash player to fix the critical vulnerability that allows hackers to take control of users computers.

Adobe flash security warning
Adobe Flash player has been exploited yet again.  The exploit allows attackers to use maliciously crafted Flash content to crash the Flash player, and potentially take control of the affected computer.  The exploit impacts the Mac, Windows, Linux and Solaris versions of Flash Player, and the Mac, Windows and UNIX versions of Adobe Reader and Acrobat.

Hackers attack WOW users using Adobe flash security flaw
World of Warcraft users woke up to find themselves banned or have their accounts drained due to Adobe Flash being exploited.  A similar incident occurred in 2008.

Adobe flash security gets updated with latest bug fixes
The update to Flash Player 10.0.42.34 fixed data injection and integer overflow vulnerabilities, patched a pair of memory corruption bugs, plugged a hole in JPEG image parsing and resolved ” multiple crash vulnerabilities.  It also addressed a bug in the Flash Player ActiveX control for IE that could be used to pilfer information.

Flash flaw puts web sites and users at risk
This vulnerability allows the same-origin policy of Adobe Flash to be exploited to allow nearly any site that allows user generated content to be attacked. If a hacker can get a Flash object onto your server, they can execute scripts in the context of your domain and use it to attack the server. Almost everyone using the Internet is vulnerable to a website that allows content to be updated inappropriately which can then launch silent attacks on visitors to those sites.

Upgrading to latest Mac OS downgrades Flash security
Apple Mac users are being urged by security company Sophos to upgrade Adobe Flash after installing Snow Leopard, Apple Macs latest operating system. Installing the new OS automatically downgrades the version of Adobe Flash on the users computer putting them at risk of serious flash security vulnerabilities.

80% of Adobe Flash users vulnerable to security attack
Security vendor Trusteer said “Targeting vulnerabilities in these applications is extremely efficient since it enables criminals to target the 99 percent of Internet users using the Flash plugin.” Adobe is working to address the problem, but Trusteer says the difficulty is in their update mechanism, which lags industry standards for effectively distributing security patches to the field.

Security compromised by Adobe Flash bug in malicious PDF files
On opening the PDF or a web page containing an infected flash file, this exploit will allow malware to be dropped onto the victim’s machine. When the exploit fires, it checks the Flash version on the vulnerable computer and, depending on the result, it uses a different .SWF (shockwave) file to take complete control of the machine. Symantec reports that this issue is fairly widespread. Malicious code is being injected into other third-party domains (approximately 20,000 web pages) most likely through SQL-injection attacks. The code then redirects users to sites hosting malicious Flash files exploiting this issue.

Adobe Streamed Flash (FLV) DRM provides little security
Adobe added encryption to its proprietary protocol on introducing Flash Media Server 3 in order to prevent the recording of Flash content, and defined RTMPE (RMTP encrypted) for the purpose. A recently published analysis of RTMPE comes to the conclusion that, although the algorithm” provides end-to-end secrecy in exactly the same way that SSL provides end-to-end secrecy, it provides no security and uses no authentication of any kind.” Nowhere is a secret key, a password or even a pass phrase required in order to decrypt the content: only a 32-byte hash value plus the size of the SWF file and publicly exchanged information, specifically the last 32 bytes of the first response from the streaming server, are involved.

Adobe’s Flash Files Expose Websites to XSS Attacks
Vulnerable Adobe flash files can be modified by cyber-criminals to launch XSS and phishing assaults (unaware users can be forwarded to phishing or malicious sites from the legitimate ones), cookie hijacking and theft of users’ passwords.  Security researchers have also found that flash files could be easily used by criminals to make interference with official sites belonging to government agencies, banks and other reliable organizations.

Fake Flash Site causes major security issue
The site prompts a message requesting the user download “a new version of Adobe Flash Player” in order to view a video on the site, but instead installs malware on the users computer.

Flash security issues gain momentum
The Sophos 2009 Security Threat Report, warned that hackers are increasingly looking at commonly used browser plugins like Adobe Flash and PDF in their attempts to infect innocent computer users. The report said “The rise in malicious Flash and PDF files can be partly explained by the use of malware construction kits that build web attack pages incorporating booby-trapped code. The inclusion of the Flash and PDF content targets vulnerabilities that have been found in the widely used Adobe browser plug-ins, underlining the importance of keeping these up to date.”

Flash security risks with streaming video
Video streaming is bad news when it comes to security.  Apart from having to have the UDP ports of your firewall left open, there are vulnerabilities in the technology itself.  And if that is not enough, there is the obvious matter of the drain on resources which could bring your network to a crawl…

Flash plug-in issue causes malware to invade users computers whilst surfing the web
Flash browser plug-ins are used in attacks known as “drive-by downloads” in which malware is surreptitiously downloaded onto a computer while the user is surfing the Internet.

HP provide free flash security tool to help secure flash files
HP is providing a free flash security tool that developers can use to check for holes in the Flash applications they write, which can lead to data leaks and other security problems on Web sites.  HP SWFScan decompiles Flash applications and searches the code for vulnerabilities and violations of Adobe’s best security practices guidelines. The tool works with all versions of Flash.

Flash security issues are mainly due to bad programming
With hackers increasingly targeting Web 2.0 sites, knowing how to develop secure Adobe Flash applications can be a difference maker when it comes to avoiding mass compromises.

Flash security controls bypassed by latest vulnerability
This update addresses previously reported ‘Clickjacking’ issues, enhancement of Flash Player’s interpretation of cross-domain policy files, functionality to further mitigate a potential port-scanning issue, and changes to the Clipboard API that will prevent potential ‘Clipboard attacks’.

Clickjacking issue affects Adobe flash player
An attacker could lure the unsuspecting user into clicking on a link that would give the attacker access to the computer’s microphone and webcam without the user’s knowledge.

Adobe updates flash plugin to address previous security vulnerabilities
Adobe has again updated its flash player with more security updates as previous vulnerabilities were being actively exploited with users computers attacked by malicious flash files.

Flash plug-in may not be legitimate
During 2008 Sophos encountered many examples of legitimate blogs and message boards carrying comments which linked to websites pretending to offer adult videos, but which actually demanded a browser plugin upgrade before anything could be seen. The updated fake codec or bogus Flash Player software that the user downloaded was in reality scareware that attempts to frighten the user into purchasing fake security software.

Flash plug-in security issue leaves computers open to attack – December 2007
An input validation flaw was found in the way Flash Player displayed certain content. It may be possible to execute arbitrary code on a victim’s machine if the victim opens a malicious Adobe Flash file.

Critical flash vulnerability enables execution of arbitrary code – July 2007
Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker to take control of the affected system by a  malicious SWF file being loaded in Flash Player.

Flash security issue compromises HTTP headers – October 2006
This vulnerability could be exploited by malicious web sites to modify HTTP headers of client requests and conduct HTTP request splitting and cross-site request forgery attacks.

Programming to avoid Adobe Flash Security problems, exploit issues & flaws

If you are developing Adobe flash applications then these articles will help you make your flash applications more secure by showing you what measures you can implement to avoid malicious data injection, flash exploit problems, cross scripting attacks and other known flash security vulnerabilities.

Top security threats to Flash/Flex applications and how to avoid them – Part 1
Top security threats to Flash/Flex applications and how to avoid them – Part 2

Adobe Flash Security issues and Flash Player security problems.  SWF issues, flash player issues, vulnerabilities & flaws.  Poor Adobe flash security & flash DRM implementations.