Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
  HOME     MENU     SEARCH     NEWSLETTER    
CUSTOMER RELATIONSHIP MANAGEMENT NEWS. UPDATED 3 MINUTES AGO.
You are here: Home / Data Security / Attackers Can Take Control with Flash
Adobe Flash Flaw Could Give Attackers Full Control
Adobe Flash Flaw Could Give Attackers Full Control
By Jennifer LeClaire / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
FEBRUARY
25
2009
Less than a week after security researchers warned of a vulnerability in two Adobe programs that could allow hackers to compromise a PC comes yet another critical exploit that could hijack your desktop.

This time, attackers have targeted Adobe's Flash animation software. According to iDefense Labs, remote exploitation of the vulnerability in the Flash player could allow an attacker to execute arbitrary code with full user privileges. That means anything you could do with your PC, the attacker could, too.

"To exploit this vulnerability, a targeted user must load a malicious Shockwave Flash file created by an attacker," iDefense Labs said. "An attacker typically accomplishes this via social engineering or injecting content into a compromised, trusted site."

Adobe's Black Eye

Adobe already has a black eye because of a zero-day vulnerability in Acrobat Reader that has attracted a lot of attention in the press and the security community, according to Andrew Storms, director of security operations for nCircle. The network security and compliance automation firm works with companies like Safeway, U.S. Cellular, and Archer Daniels Midland.

"Some people are asking why is it taking Adobe so long to release a patch for the Acrobat bug when third-party companies have already released mitigation steps and a few have even released their own Acrobat patches," Storms said. "Meanwhile, apart from a simple security notice on its Web site, Adobe has been conspicuous by their silence."

The optimistic view is that Adobe has been busy working on a Flash update and ensuring a high level of quality in its Acrobat patch. Storms said we have little choice but to take the optimistic view because anything else would further degrade Adobe's reputation with an information-security community already surprised by its lack of response.

"At this point, Adobe needs to do two things in a hurry," Storms said. "First, they need to provide mitigation advice for both the known Acrobat zero-day vulnerability and this new Flash advisory. Second, they need to begin an advance notification program so enterprises can plan for Adobe patches."

Adobe's Response

Adobe wasn't immediately available for comment, but Tuesday afternoon confirmed the vulnerability in its Flash software on all platforms. The vulnerability is in Adobe Flash Player 10.0.12.36 and earlier versions. Adobe rates the vulnerability as critical.

Adobe recommended users update to the most current version of Flash Player for their platform. For users who cannot update to Flash Player 10, Adobe has developed a patched version of two earlier versions that are available for download.

However, there is still no update on the Adobe Reader and Acrobat flaws. Adobe said in an earlier security advisory that it will make an update for Adobe Reader 9 and Acrobat 9 by March 11. That is still two weeks away.

Meanwhile, attackers are actively exploiting the flaw. Adobe's only advice: Disabling JavaScript in Reader and Acrobat may protect users. "Disabling JavaScript provides protection against currently known attacks," Adobe said in its Feb. 19 security advisory. "However, the vulnerability is not in the scripting engine and, therefore, disabling JavaScript does not eliminate all risk."

Image credit: iStock.

Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
MORE IN DATA SECURITY

NETWORK SECURITY SPOTLIGHT
China-based Vivo will be the first company to come out with a smartphone featuring an in-display sensor for fingerprint security, beating Apple, Samsung, and other device makers to the punch.

CRM DAILY
NEWSFACTOR NETWORK SITES
NEWSFACTOR SERVICES
© Copyright 2017 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.