Security Tip: Update Your Flash Player

By Phil Butler

flash-iconAdobe is in the news again, with all new ways for hackers to take over your desktop via their products. Just a few days ago security researchers discovered serious security vulnerabilities in some Adobe programs. The latest victim of attacks appears to be the Adobe Flash animation software. iDefense Labs discovered that exploitation of the flaw in the Flash player could enable hackers to gain full privileges on a user’s desktop.

The method used to “infect”a user’s PC is a malicious Shockwave Flash file created by the attacker. The Shockwave file socially engineers the file and then injects the content into a site that is trusted to complete the attack. Acrobat reader has already come under criticism after nCircle, another network security firm, found vulnerabilities in the venerated application.

Acrobatic Threats

Reading these stories about such widely used applications, it is a little bit shocking to note how little Adobe appears to be doing about it. Adobe has been fairly silent about the threats, while Symantec and nCircle warn of real and ongoing cases in Asia. According to Andrew Storms, director of security operations for nCircle:

If the history of Adobe Reader vulnerabilities shows us anything, it’s probably just a number of days before this takes off.

The Adobe Flash threat announced today, was acknowledged by the company as being a “critical” one for Adobe Flash Player and earlier versions. They recommended that users update to the most current versions. For users who cannot update to version 10, the company has also created a patch for download. We suggest everyone who might be affected read Adobe’s security bulletin issued about the threat, and for the latest fixes.

Relative Insecurity

There is still no word of an update or fix for the earlier Acrobat Reader issues. Adobe has said they will have updates for Adobe Reader 9 and Acrobat 9 by March 11, but given these issues were announced before the Flash advisory, one has to wonder what they are waiting for. Adobe’s advice to users was simply to Disable JavaScript for what appears to be a “degree” of protection.

Meanwhile, any hacker who can “socialize” their script and get it into a trusted conduit, can effectively control your PC. Sourcefire, another security vendor, says they have already traced attacks going back to January 9, so it looks like a time for everyone to cover their own … until Adobe gets off of theirs. We hope this information helps.

  • Jeez.. I thought the point of Flash was the sandbox approach. Makes me rethink all my AIR applications.

    • I am with you Mutant, I fully believed that Adobe stuff was safe as rainwater too. Ugh.


  • tonychung

    Wow. I stumbled on a site when looking for some sample SWFs to use for testing, and Trend A/V went haywire reporting all sorts of Trojan horses. It stands to reason any format that allows code to be executed should be cause for concern.

    Nice to know Adobe’s on top of things with a patch. As this remote code is through a helper app, does this mean even Macs and Linux boxes aren’t safe? How deep does this go?

  • Tarh

    Yet another reason to use NoScript.
    Also, using a product like Comodo Internet Security’s “Defense+” in paranoid mode means that this attack would be noticed immediately as soon as the browser (or the Flash helper application) started trying to do things that it shouldn’t.
    Or, even better, do all of your browsing inside of a VM (or soft-VM), in addition with tools to protect your privacy of course.

    • Hey Tony and Tarh, Thanks for the tips Tarh, and the same thing has happened to me a few times lately. Adobe will have the fixes or already does in the case of Flash. The post makes it appear Adobe is under a specific attack, but actually everyone is. Adobe is just so widely used, it is important to take note.


  • what do you mean by ‘“socialize” their script’ are you talking about putting flash on sites like myspace and calling javascript from them?

  • tonychung

    I should have added to my earlier comment that backdoor trojans are not new to the Flash domain. Remember the now infamous “whack a boss” Flash game that made the rounds of most offices in the late ’90s? A version of it opened holes for remote control of your PC.

    @halfasleeps: “socialized” scripts are not only embedded on web pages. Files shared (by email or other means) should also be considered social. And moreso as the file grows in popularity.

Get the latest in Front-end, once a week, for free.