Walking in Light With Christ - hip0's personal blog on System Administration, Free Software, Computer Security and Religion

New critical Adobe Flash Player security flaw allows a malicious attacker to get access to Windows, Linux, Mac OS and BSD

A new zero-day exploit for the Adobe Flash Player has been published on http://exploit-db.com .

The exploit published is targetting Windows 7 systems.

Even though the published version of the exploit is said to affect Windows 7 installations, the shellcode with this proof of concept exploit (PoC) could surely be changed to a one that would also take effect in Linux.
Most likely Linux exploitation will be a harder task to achieve, however thesecurity advisory issued http://www.adobe.com/support/security/advisories/apsa11-02.html recommends an immediate update of the flash player.

According to some rumors the 0 day adobe flash vulnerability has been exploited since a long time to get access to access to confidential U.S. governmental documents.

A classical ways said that malicious hackers uses is by sending a flash (.swf) containing email, by simply opening the email the victim gets exploiteda.

Adobe officially has reported, there are no official information if attacks has targetted other company software like Adobe Acrobat Reader which supports their flash player product.
According to Adobe Adobe Reader is not vulnerable to this kind of attacks as it uses a protected mode which would mitigate the attack (though I hardly doubt this claim).

The affected versions of Adobe's Flash player are:

• Flash Player 10.2.153.1 for Windows
• Flash Player 10.2.153.1 for Apple Macintosh
• Flash Player 10.2.153.1 for Linux and Solaris
• Flash Player 10.2.156.12 for Android Mobile platform

as well as the Authplay.dll library used by Adobe's Acrobat Reader

Earlier versions of Flash player are also reported to be affected to the critical security vulnerability.
There are already rumors that already the exploit is exploited using a crafted (.swf) files embedded into Microsoft Word .doc files.

This new critical vulnerability is another example which shows clearly how insecure a user who has flash enabled in their browser is.

According to preliminary information, exploitation of this critical security flaw can be sucessfully achived in most (if not all) browsers ...

By so far browsing on Linux was always considered to be a way more secure than on Windows, with this issue rising up this kind of trend would change a bit, as surely many Linux distributions will probably not release a newer version of the adobe flash (flashplugin-nonfree) package.

Today the flash player is a de-facto standard and is wide spread among most modern internet connected operating system obviously it's unified use creates could lead to a unified problems.

The example with this flash security issue is a good example against why non-free technologies should not be set as standards.
If the flash player and standard was free and everybody could create and distribute flash players for free. Such a vulnerability affecting so many operating systems and so many browsers would never become a reality.

To sum it up, this issue will surely create a lot of problems and opens a serious security hole for us the Linux users.

Be sure to update your flash player before someone has exploited you through the web.