Hackers Exploit Adobe Flash Web Browser Vulnerability to Serve Malware

A security investigator at Foreground Security has found that the method in which Web browsers deal with Adobe Flash is flawed; consequently, it could allow malicious users to hijack websites, which accept user content.

The flaw is related to a method that takes advantage of the Adobe Flash same-origin rule (policy) for serving and uploading malevolent files.

Actually, the rule or policy limits Flash objects so that they just retrieve content from where they originate. Meanwhile, the flaw occurs because Flash objects belonging to the user's server would run within the circumstances related to the user's domain.

In case an attacker is able to add a harmful Flash object to an Internet site - via its capabilities for user-generated content that allow visitors to post content on the site, he would also be able to run malicious code from that domain.

It is possible that the attack could take place on various websites ranging from social-networking to Web-mail. Basically, the attacker exploits the uploading of Flash objects as content to a website that allows him to run malicious code from it for stealing personal information of those people who visit the site.

Mike Bailey, Security Researcher at Foreground Security, said via a blog that if an attacker could manage the hosting of a particular file on a particular server, then he could utilize that file for attacking that server, as reported by Information Week on November 12, 2009.

Commenting on the issue, Michael Murray, CSO, Foreground Security, states that all users are vulnerable to the attack and there is no solution they can find for themselves. The company revealed how the attack could be executed against File Manager of cPanel, SquirrelMail, and Gmail, as reported by Dark Reading on November 12, 2009.

Murray adds that his company is hoping that it can persuade CIOs and IT administrators to begin a patching drive for their websites.

Meanwhile, Adobe without disputing over the investigator's declarations stated that those who designed and administered websites bore a responsibility to develop sites and software that effectively blocked such attacks.

Related article: Hackers Redirect Windows Live Search to Malicious Sites

» SPAMfighter News - 24-11-2009

All SPAMfighter products offer a free trial!

SPAMfighter is a free spam filter for Outlook, Outlook Express,Windows Mail, Windows Live Mail and Thunderbird.

Optimize your Slow PC for better performance. Try FREE scan now

Disk space recovery
and disk optimization. Try FULL-DISKfighter free

SPAMfighter Exchange Module is a Spam filter for Exchange server - Free 30 days trial.

Remove Spyware with SPYWAREfighter - Free 30 days trial

Antivirus software for your Windows PC - Free 30 days trial