New critical Adobe Flash Player security flaw
allows a malicious attacker to get access to Windows, Linux, Mac OS
and BSD
A new zero-day exploit for the
Adobe Flash Player has been
published on
http://exploit-db.com .
The
exploit published is targetting
Windows 7 systems.
Even though the published version of the exploit is said to affect
Windows 7 installations, the shellcode with this proof of concept
exploit (PoC) could surely be changed to a one that would also take
effect in Linux.
Most likely Linux exploitation will be a harder task to achieve,
however thesecurity advisory issued
http://www.adobe.com/support/security/advisories/apsa11-02.html
recommends an immediate update of the flash player.
According to some rumors the
0 day adobe flash vulnerability
has been exploited since a long time to get access to access to
confidential U.S. governmental documents.
A classical ways said that malicious hackers uses is by sending a
flash (.swf) containing email, by simply opening the email the
victim gets exploiteda.
Adobe officially has reported, there are no official information if
attacks has targetted other company software like
Adobe Acrobat
Reader which supports their flash player product.
According to Adobe
Adobe Reader is not vulnerable to this
kind of attacks as it uses a protected mode which would mitigate
the attack (though I hardly doubt this claim).
The affected versions of Adobe's Flash player are:
- Flash Player 10.2.153.1 for Windows
- Flash Player 10.2.153.1 for Apple Macintosh
- Flash Player 10.2.153.1 for Linux and Solaris
- Flash Player 10.2.156.12 for Android Mobile platform
as well as the
Authplay.dll library used by
Adobe's
Acrobat Reader
Earlier versions of Flash player are also reported to be affected
to the critical security vulnerability.
There are already rumors that already the exploit is exploited
using a crafted (.swf) files embedded into Microsoft Word .doc
files.
This new critical vulnerability is another example which shows
clearly how insecure a user who has flash enabled in their browser
is.
According to preliminary information, exploitation of this critical
security flaw can be sucessfully achived in most (if not all)
browsers ...
By so far browsing on Linux was always considered to be a way more
secure than on Windows, with this issue rising up this kind of
trend would change a bit, as surely many Linux distributions will
probably not release a newer version of the adobe flash
(flashplugin-nonfree) package.
Today the flash player is a de-facto standard and is wide spread
among most modern internet connected operating system obviously
it's unified use creates could lead to a unified problems.
The example with this flash security issue is a good example
against why non-free technologies should not be set as
standards.
If the flash player and standard was free and everybody could
create and distribute flash players for free. Such a vulnerability
affecting so many operating systems and so many browsers would
never become a reality.
To sum it up, this issue will surely create a lot of problems and
opens a serious security hole for us the Linux users.
Be sure to update your flash player before someone has exploited
you through the web.