Adobe Flash flaw allows code execution

Author
Tomek Tomek
Publication date
29.05.2008
Ilość komentarzy
0
According to an announcement by the United States Computer Emergency Response Readiness Team (or US-CERT), the latest version of Adobe's popular Flash Player 9 has a flaw which is currently being exploited to install malicious software on unsuspecting web users' PCs. All version of Flash 9 prior to the very latest release, version 9.0.124.0, are vulnerable to the attack which exploits a flaw in ActionScript 3.0, a feature introduced in version 9 of the popular rich media player. To take advantage of the security hole that ActionScript 3.0 introduced, all a cracker needs to do is somehow point you toward a website containing an embedded SWF file containing the exploit code. When this file is played via the browser, it will download and install whatever malware the cracker wants. Adobe has announced that the vulnerability, which has been assigned the code CVE-2007-0071 on the Common Vulnerabilities and Exposures project, has been resolved as of Flash Player 9.0.124.0. If you haven't upgraded Flash Player in the last few days, now would be a very good time to do so. If you're not sure what version you're running, Adobe has a useful version checker on its website. This isn't the first time a technology designed to bring music and video to websites has been used as an attack vector by ne'er-do-wells, and due to the complexity of the software involved it's unlikely to be the last. Although updating your software regularly helps mitigate the effects of flaws such as this, prevention is always better than cure – using a browser such as Firefox in conjunction with the NoScript add-on can protect you from a wide range of web-based attacks on untrusted websites even before the vulnerabilities are discovered.

Join the discussion

comments powered by Disqus