Personal Tech Pipeline | Security Patches | Adobe Warns of Critical Flash Flaw, Drive-by Downloads

White Papers

Sponsor Resources

Free Newsletter GlossaryContact UsAbout Us
Players & CamsPhones & PDAsHome & AutoOnline

March 15, 2006

Adobe Warns of Critical Flash Flaw, Drive-by Downloads

Courtesy of TechWeb News

Adobe on Tuesday warned that multiple critical vulnerabilities in its Flash media player put users at risk, possibly from drive-by downloads, and urged all to update immediately to the patched edition.

Microsoft also issued a security advisory Tuesday to tell customers of its Windows XP, Windows 98, and Windows Millennium operating systems -- all of which are bundled with a flawed edition of Flash -- to also update their players.

Security vendors quickly chimed in Wednesday. Danish vulnerability tracker Secunia, for example, labeled the threat as "highly critical," its second-highest warning rating.

Although Adobe didn't specify the bugs, nor give a total vulnerability count, its advisory indicated attackers would have to create a malformed .swf (Flash content file) and dupe a user into opening it.

"These vulnerabilities could be accessed through content delivered from a remote location via the user’s web browser, email client, or other applications that include or reference the Flash Player," Adobe's advisory read.

Cupertino, Calif.-based Symantec was more specific in an alert to customers of its DeepSight Threat Management System. "Successful exploitation is said to allow for client-side execution of attacker-supplied code," Symantec's warning went. "There is a high probability that widespread exploitation could occur if a malicious .swf file were placed on a popular website.

"Apparently, no user-interaction is required to trigger the issue beyond browsing to a website with a Flash-enabled browser," continued Symantec.

Vulnerabilities that can be exploited against unsuspecting users who simply surf to a site are called "drive-by downloads," and have been attracting great attacker interest, especially after the wide success of a zero-day bug in Windows' processing of the Metafile (WMF) that was exploited using drive-bys in 2005 and into early 2006.

Most browsers, including Microsoft's Internet Explorer and Mozilla's Firefox, are Flash-enabled. Microsoft's advisory offered up several workarounds, including disabling the Flash ActiveX control or removing it entirely. The SANS Institute's Internet Storm Center told Firefox users that they may be able to block attacks with the popular AdBlock extension, which blocks all .swf files, though it warned "it's not necessary that the malware end in '.swf.'"

This is not the first Flash bug. The media player was patched as recently as November 2005 against a similar flaw. Two years before that, another critical vulnerability was uncovered.

For its part, Microsoft passed users to Adobe, telling customers to head to Adobe's Web site for guidance.

Microsoft was just as mum as Adobe about the problem's root causes, saying only that it knew of "recent security vulnerabilities in Flash." The Redmond, Wash.-based developer, however, discovered the bugs; Adobe thanked Microsoft for reporting the vulnerabilities.

Patched players for Windows, Mac, Linux, or Solaris can be downloaded from the Adobe site.

E-mail This Story
Print This Story
Reprint This Story

Get the latest Personal Tech news, product info, and trends every week.

Related Content

  Right-click and choose Copy to extract RSS Feed URL  Personal Tech Pipeline's Main RSS Feed
  Right-click and choose Copy to extract RSS Feed URL  Personal Tech Pipeline's Blog RSS Feed

Keeping Up To Date On Enterprise Server Tech?
Review our compilation of columns on server security, database software, and Linux issues.
How to Achieve High Performance Through IT
Learn to achieve high performance by aligning IT to
strategic objectives and solutions to unlock that value.
Using Current Performance to Shape
Future Results

Hear new strategies for improving business
performance and results.

Editor's Picks

Well, Microsoft has "unfolded" its "Origami" ultra-mobile PC platform Thursday. It turned out to be a full-featured PC smaller than a tablet but bigger than a PDA. Are you impressed?
Yes! I want one!
Sort of. We'll see.
No! It's too big for a pocket and too small for real computing. What's the point?

In search of personal tech products? See our new Product Finder, where you'll find personal computing devices, communications solutions, security products, and more.

On the CIO Agenda with IBM
With business growth back on the agenda, the role of the CIO is changing from manager of technology to C-suite collaborator in enabling innovation that matters for the business. Read an executive summary and register to download the full IBM paper.

Symantec Backup Solutions
Desktop to Data Center Protection. Explore the Official Symantec Site.

EMC SAN helps El Camino deliver superior service
EMC CLARiiON and Centera systems are helping El Camino Hospital provide better patient care. The hospital can quickly and effortlessly monitor, modify, and protect the availability of its entire storage environment while saving money ($150,000)

SEC & HIPAA IM Compliance
Satisfy regulatory and compliance requirements for instant messaging.

Secure & Easy Console Management with Digi CM
The Digi CM console server provides secure, intelligent & easy access to network devices with a serial console port. With Digi CM, you can securely monitor & control servers, routers, switches & other devices even when your network is down.

Buy a Link Now

Top ten search terms from the TechWeb TechEncyclopedia
Learn how to use EMC recovery management to protect your data assets.
Mobilized Solutions Guide: Find and compare solutions for your business
Top Requested White Paper Categories from TechWeb White paper Library
Top ten search terms from the TechWeb TechEncyclopedia