IT Management Daily
Storage Daily
Security Daily
 FREE NEWSLETTERS
search
 

follow us on Twitter


internet.commerce
Be a Commerce Partner

internet.com
IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers



Related Articles
Kaminsky Warns of Lingering DNS Dangers
Google as Your Guide to Malware
Chipping Away at Mac OS X Security

Security Products
 Recover Excel VBA Password (Recover Excel VBA Password)
 VIP Anonymity (VIP Defense)
 Login Info Keeper (Login Info Keeper)
 SysInfoTools NSF Local Security Remover (SysInfoTools)
 Reset VBA Project Password (Reset VBA Project Password)
 Free Keystroke Recorder (Free keystroke recorder)
» Enterprise IT Planet » Security » Security News

After Patches, Adobe Flash Still Not Secure

By Richard Adhikari
March 2, 2009

Email Print Digg This Add to del.icio.us

Adobe's Flash application is great for creating and watching rich multimedia applications, but it's one of the applications security researchers fear most because it is highly vulnerable to hackers. The application has come under more intensive scrutiny recently after Adobe issued a patch for yet another vulnerability discovered earlier this week.

"We're spending a lot of time researching the vulnerability of Adobe Flash because we foresee the problem getting worse before it gets better," Holly Stewart, threat response manager at IBM (NYSE: IBM) Internet Security Systems' X-Force research team told InternetNews.com by e-mail.

At the end of 2008, 15 percent of all malicious links were to Flash movies containing malware, Stewart said. She added that people continue falling victim to Flash exploits because most of them do not patch Adobe applications when these are available.

The latest vulnerability lets attackers take control of victims' computers through a buffer overflow, Adobe said in a security bulletin. It occurs in Flash Player 10.0.12.36 and earlier versions, Adobe said. The vendor has issued a patch for the vulnerability, which it has named APSB09-01.

Adobe's bulletin said the user must load a malicious Shockwave Flash (SWF) file in the Flash Player before hackers can exploit the vulnerability. SWF files can contain animations or applets with different functions.

That need to download a malicious SWF file first could mean hackers would have to launch a two-pronged attack of the kind that hit the Microsoft Excel zero-day vulnerability earlier this week.

Adobe did not respond to requests for comment by press time.

The patch released last week also resolves other possible attacks. One could lead to a Denial of Service attack; another, for Linux only, could lead to privilege escalation, meaning an attacker could get more extensive privileges after hacking into a system.

Two other possible attacks are Clickjacking (define) attacks. One affects Windows systems only and the other affects Flash Player itself, Adobe's Web site said.

In with the new

Adobe's Web site recommends users update to the most current version of Flash Player available for their platform. Users can go to this Adobe site to verify the version of Flash Player on their computers.

Flash Player versions 10 and later are not available for the Microsoft Windows 98 or Windows ME, Apple Macintosh OSX 10.1 to 10.3, and Red Hat Enterprise Linux 3 and 4, Adobe said on its Web site. That is because they are not supported on older operating systems and these operating systems' manufacturers will not fix problems in them, according to Adobe's Web site.

Adobe has developed Flash Player 9.0.159.0, a patched version of Flash Player 9, for users who cannot update to version 10. It can be downloaded from this Web page.

Courtesy of InternetNews.

Email Print Digg This Add to del.icio.us

Security News Archives