Posts Tagged ‘email attachment’

New critical Adobe Flash Player security flaw allows a malicious attacker to get access to Windows, Linux, Mac OS and BSD

Wednesday, April 20th, 2011

Flash swf Player artistic logo exploit

A new zero-day exploit for the Adobe Flash Player has been published on http://exploit-db.com .
The exploit published is targetting Windows 7 systems.
Even though the published version of the exploit is said to affect Windows 7 installations, the shellcode with this proof of concept exploit (PoC) could surely be changed to a one that would also take effect in Linux.
Most likely Linux exploitation will be a harder task to achieve, however thesecurity advisory issued http://www.adobe.com/support/security/advisories/apsa11-02.html recommends an immediate update of the flash player.

According to some rumors the 0 day adobe flash vulnerability has been exploited since a long time to get access to confidential U.S. governmental documents.

A classical ways said that malicious hackers uses is by sending a flash (.swf) containing email, by simply opening the email attachment the victim gets exploited.

Adobe officially has reported, there are no official information if attacks has targetted other company software like Adobe Acrobat Reader which supports embedded flashes.
According to Adobe Adobe Reader is not vulnerable to this kind of attacks as it uses a protected mode which would mitigate the attack (though I hardly doubt this claim).

The affected versions of Adobe’s Flash player are:

  • Flash Player 10.2.153.1 for Windows
  • Flash Player 10.2.153.1 for Apple Macintosh
  • Flash Player 10.2.153.1 for Linux and Solaris
  • Flash Player 10.2.156.12 for Android Mobile platform

as well as the Authplay.dll library used by Adobe’s Acrobat Reader

Earlier versions of Flash player are also affected by the critical security vulnerability.
There are already rumors that the exploit is exploited using a crafted (.swf) files embedded into Microsoft Word .doc files.

This new critical vulnerability is another example clearly showing how insecure a user who has flash enabled in their browser is.

According to preliminary information, exploitation of this critical security flaw can be sucessfully achived in most (if not all) browsers …

By so far browsing on Linux was always considered to be a way more secure than on Windows, with this issue rising up this kind of believe is questioned.
Surely many Linux distributions and FreeBSD and BSD derivatives used as Desktops will probably not package timely newer version of the adobe flash (flashplugin-nonfree) package on time

Today the flash player is a de-facto standard and is wide spread among most modern internet connected operating system obviously it’s unificated use, creates unified problems.

The example with this flash security issue is a good example against why non-free technologies should not be set as standards.
If the flash player and standard was free and everybody could create and distribute flash players for free. Such a vulnerability affecting so many operating systems and so many browsers would never come true

To sum it up, this issue will surely create a lot of problems and opens a serious security hole for us the Linux users.

Therefore be sure to update your flash player before someone has exploited you through the web.