Hackers Exploit Adobe Flash Web Browser Vulnerability to Serve Malware
A security investigator at Foreground Security has found that the method in which Web browsers deal with Adobe Flash is flawed; consequently, it could allow malicious users to hijack websites, which accept user content.
The flaw is related to a method that takes advantage of the Adobe Flash same-origin rule (policy) for serving and uploading malevolent files.
Actually, the rule or policy limits Flash objects so that they just retrieve content from where they originate. Meanwhile, the flaw occurs because Flash objects belonging to the user's server would run within the circumstances related to the user's domain.
It is possible that the attack could take place on various websites ranging from social-networking to Web-mail. Basically, the attacker exploits the uploading of Flash objects as content to a website that allows him to run malicious code from it for stealing personal information of those people who visit the site.
Mike Bailey, Security Researcher at Foreground Security, said via a blog that if an attacker could manage the hosting of a particular file on a particular server, then he could utilize that file for attacking that server, as reported by Information Week on November 12, 2009.
Commenting on the issue, Michael Murray, CSO, Foreground Security, states that all users are vulnerable to the attack and there is no solution they can find for themselves. The company revealed how the attack could be executed against File Manager of cPanel, SquirrelMail, and Gmail, as reported by Dark Reading on November 12, 2009.
Murray adds that his company is hoping that it can persuade CIOs and IT administrators to begin a patching drive for their websites.
Meanwhile, Adobe without disputing over the investigator's declarations stated that those who designed and administered websites bore a responsibility to develop sites and software that effectively blocked such attacks.
Related article: Hackers Redirect Windows Live Search to Malicious Sites
» SPAMfighter News - 24-11-2009