TechSpot

Dangerous "unpatchable" flaw discovered in Adobe Flash

By Justin
Nov 13, 2009
  1. A newly discovered flaw in the Flash suite could put both users and servers at risk, according to some recent reports. Adobe has verified the hole, which lies inside any Flash-based application that allows people to upload their own content. Though some details are omitted, the flaw would allow someone to upload a malicious Flash object to a site, which in turn would be downloaded and processed by people visiting the site. According to one security expert, any site relying on user uploads through Flash could be vulnerable.

    Read the whole story
     
  2. tengeta

    tengeta TS Enthusiast Posts: 632

    Its cool how Adobe bought out Flash and then turned it into an even bigger vulnerability than Windows itself.
     
  3. Xclusiveitalian

    Xclusiveitalian TS Guru Posts: 692   +48

    There going to have to release a whole new version asap thanks for the notice!
     
  4. IvanAwfulitch

    IvanAwfulitch TS Enthusiast Posts: 239   +11

    Lol.

    No, seriously. LOL! An unpatchable flaw and they only just found it? Adobe has been out there for how long? I can understand that it might be a roundabout way to hack it, but all it takes is uploading malicious code! That's as easy as it gets! Good job, Adobe. I applaud your inadequacy.
     
  5. Kibaruk

    Kibaruk TechSpot Paladin Posts: 1,443   +124

    Like it says, it's not entirely adobes, but the add of some other scripting that generates the blackhole.
     
  6. This give new hope to the migration from flash... I just cant wait for HTML5 to replace the need for flash player (Google need to set an example, by making youtube flash free ... I love the HTML5 youtube demo page).
     
  7. Riiiight.. This is really non-news. Honestly, I have never even HEARD of a website that utilizes Flash to allow users to upload content for other users to download. Are you kidding me? How is this even exploitable? Someone name me a single site that does this. If there is such a thing, then all they need to do is use some other method for distribution. Simple-as-all-hell-fix.

    Also, the article mentions that other things involving scripting (Actionscript is VERY similar to Javascript) can suffer from similar back doors. But honestly, how is this even considered a threat? There are so many prerequisites that I feel like this article is merely embracing sensationalism in the pursuit of a story. Bah.
     
  8. Read the article again- it's not about using flash to upload content, it's about uploading malicious flash objects. According to a followup from the researcher, Adobe has 4 or 5 of these vulnerabilities on their own servers. Other demonstrations of vulnerable sites included Gmail and other popular web applications.

    Not exactly non-news.
     
  9. rgdot

    rgdot TS Rookie Posts: 16

    Like pointed out...can't wait for HTML 5. A very large percentage of my 'exposure' to flash is youtube.
     
  10. Flannelwarrior

    Flannelwarrior TS Rookie Posts: 149

    I feel like JS having big security holes isn't new news; Flash is just another application through which JS's script defects can manifest themselves.
     
  11. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,184   +177

    Flash introduces plenty more than just what JS can or has.
     
     
  12. T77

    T77 TS Enthusiast Posts: 315

    adobe is doing a really good job :( of putting their responsibility on others shoulders!
    maybe they should dump their flash if they cant repair its ever growing vulnerabilities!
     
  13. So what's the hole exactly? Based on what I read it looks like you could make an application that lets users upload a swf to the server and then serve that same swf up to other users as content. If that's correct then Adobe is right to say it isn't their security issue but an issue with web applications that use that technology. Clearly adobe cannot create a technology that stops servers from serving up swf files. It would be the responsibility of the web application developer to make sure their application does not have this vulnerability. For the record this exact same issue exists with javascript, that's why most blogs won't let you include HTML tags in your comments.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.