Adobe Flash Security issues, exploit problems and player flaws – 2009
Adobe flash security gets updated with latest bug fixes – December 2009
The update to Flash Player 10.0.42.34 fixed data injection and integer overflow vulnerabilities, patched a pair of memory corruption bugs, plugged a hole in JPEG image parsing and resolved ” multiple crash vulnerabilities. It also addressed a bug in the Flash Player ActiveX control for IE that could be used to pilfer information.
Flash flaw puts web sites and users at risk – November 2009
This vulnerability allows the same-origin policy of Adobe Flash to be exploited to allow nearly any site that allows user generated content to be attacked. If a hacker can get a Flash object onto your server, they can execute scripts in the context of your domain and use it to attack the server. Almost everyone using the Internet is vulnerable to a website that allows content to be updated inappropriately which can then launch silent attacks on visitors to those sites.
Upgrading to latest Mac OS downgrades Flash security – September 2009
Apple Mac users are being urged by security company Sophos to upgrade Adobe Flash after installing Snow Leopard, Apple Macs latest operating system. Installing the new OS automatically downgrades the version of Adobe Flash on the users computer putting them at risk of serious flash security vulnerabilities.
80% of Adobe Flash users vulnerable to security attack – August 2009
Security vendor Trusteer said “Targeting vulnerabilities in these applications is extremely efficient since it enables criminals to target the 99 percent of Internet users using the Flash plugin.” Adobe is working to address the problem, but Trusteer says the difficulty is in their update mechanism, which lags industry standards for effectively distributing security patches to the field.
Security compromised by Adobe Flash bug in malicious PDF files – July 2009
On opening the PDF or a web page containing an infected flash file, this exploit will allow malware to be dropped onto the victim’s machine. When the exploit fires, it checks the Flash version on the vulnerable computer and, depending on the result, it uses a different .SWF (shockwave) file to take complete control of the machine. Symantec reports that this issue is fairly widespread. Malicious code is being injected into other third-party domains (approximately 20,000 web pages) most likely through SQL-injection attacks. The code then redirects users to sites hosting malicious Flash files exploiting this issue.
Adobe Streamed Flash (FLV) DRM provides little security – May 2009
Adobe added encryption to its proprietary protocol on introducing Flash Media Server 3 in order to prevent the recording of Flash content, and defined RTMPE (RMTP encrypted) for the purpose. A recently published analysis of RTMPE comes to the conclusion that, although the algorithm” provides end-to-end secrecy in exactly the same way that SSL provides end-to-end secrecy, it provides no security and uses no authentication of any kind.” Nowhere is a secret key, a password or even a pass phrase required in order to decrypt the content: only a 32-byte hash value plus the size of the SWF file and publicly exchanged information, specifically the last 32 bytes of the first response from the streaming server, are involved.
Adobe’s Flash Files Expose Websites to XSS Attacks – May 2009
Vulnerable Adobe flash files can be modified by cyber-criminals to launch XSS and phishing assaults (unaware users can be forwarded to phishing or malicious sites from the legitimate ones), cookie hijacking and theft of users’ passwords. Security researchers have also found that flash files could be easily used by criminals to make interference with official sites belonging to government agencies, banks and other reliable organizations.
Fake Flash Site causes major security issue – May 2009
The site prompts a message requesting the user download “a new version of Adobe Flash Player” in order to view a video on the site, but instead installs malware on the users computer.
Flash security issues gain momentum – April 2009
The Sophos 2009 Security Threat Report, warned that hackers are increasingly looking at commonly used browser plugins like Adobe Flash and PDF in their attempts to infect innocent computer users. The report said “The rise in malicious Flash and PDF files can be partly explained by the use of malware construction kits that build web attack pages incorporating booby-trapped code. The inclusion of the Flash and PDF content targets vulnerabilities that have been found in the widely used Adobe browser plug-ins, underlining the importance of keeping these up to date.”
Flash security risks with streaming video – April 2009
Video streaming is bad news when it comes to security. Apart from having to have the UDP ports of your firewall left open, there are vulnerabilities in the technology itself. And if that is not enough, there is the obvious matter of the drain on resources which could bring your network to a crawl…
Flash plug-in issue causes malware to invade users computers whilst surfing the web – April 2009
Flash browser plug-ins are used in attacks known as “drive-by downloads” in which malware is surreptitiously downloaded onto a computer while the user is surfing the Internet.
HP provide free flash security tool to help secure flash files – March 2009
HP is providing a free flash security tool that developers can use to check for holes in the Flash applications they write, which can lead to data leaks and other security problems on Web sites. HP SWFScan decompiles Flash applications and searches the code for vulnerabilities and violations of Adobe’s best security practices guidelines. The tool works with all versions of Flash.
Flash security issues are mainly due to bad programming – February 2009
With hackers increasingly targeting Web 2.0 sites, knowing how to develop secure Adobe Flash applications can be a difference maker when it comes to avoiding mass compromises.