Dangerous "unpatchable" flaw discovered in Adobe Flash

By Justin Mann on November 13, 2009, 1:30 PM
A newly discovered flaw in the Flash suite could put both users and servers at risk, according to some recent reports. Adobe has verified the hole, which lies inside any Flash-based application that allows people to upload their own content. Though some details are omitted, the flaw would allow someone to upload a malicious Flash object to a site, which in turn would be downloaded and processed by people visiting the site. According to one security expert, any site relying on user uploads through Flash could be vulnerable.

Adobe is contending that it is not entirely their issue. Other active scripting could also be made vulnerable, such as JavaScript or Silverlight, along with any site that relies on these to provide a mechanism for users to upload files. Because of that, Adobe said the problem is not fixable through a Flash update. Instead, it is on the shoulders of administrators whose servers use Flash. Adobe also suggests it is the responsibility of app developers to be security-minded and prevent this sort of thing from happening.

This isn't the first severe flash flaw to emerge this year. Only a few months ago, a "critical" vulnerability was discovered and published. Earlier in the year, Adobe was tackling a host of other security issues with Flash as well. This newly-discovered vulnerability could prove to be the worst yet -- and it doesn't help that Adobe is claiming the flaw is "unpatchable". A solution must be discovered, but it may be something that has to happen on a developer, browser or OS level instead of through Flash.




User Comments: 12

Got something to say? Post a comment
tengeta tengeta said:

Its cool how Adobe bought out Flash and then turned it into an even bigger vulnerability than Windows itself.

Xclusiveitalian Xclusiveitalian said:

There going to have to release a whole new version asap thanks for the notice!

IvanAwfulitch IvanAwfulitch said:

Lol.

No, seriously. LOL! An unpatchable flaw and they only just found it? Adobe has been out there for how long? I can understand that it might be a roundabout way to hack it, but all it takes is uploading malicious code! That's as easy as it gets! Good job, Adobe. I applaud your inadequacy.

Kibaruk Kibaruk, TechSpot Paladin, said:

Like it says, it's not entirely adobes, but the add of some other scripting that generates the blackhole.

Guest said:

This give new hope to the migration from flash... I just cant wait for HTML5 to replace the need for flash player (Google need to set an example, by making youtube flash free ... I love the HTML5 youtube demo page).

Guest said:

Riiiight.. This is really non-news. Honestly, I have never even HEARD of a website that utilizes Flash to allow users to upload content for other users to download. Are you kidding me? How is this even exploitable? Someone name me a single site that does this. If there is such a thing, then all they need to do is use some other method for distribution. Simple-as-all-hell-fix.

Also, the article mentions that other things involving scripting (Actionscript is VERY similar to java script ) can suffer from similar back doors. But honestly, how is this even considered a threat? There are so many prerequisites that I feel like this article is merely embracing sensationalism in the pursuit of a story. Bah.

Guest said:

Read the article again- it's not about using flash to upload content, it's about uploading malicious flash objects. According to a followup from the researcher, Adobe has 4 or 5 of these vulnerabilities on their own servers. Other demonstrations of vulnerable sites included Gmail and other popular web applications.

Not exactly non-news.

rgdot said:

Like pointed out...can't wait for HTML 5. A very large percentage of my 'exposure' to flash is youtube.

Flannelwarrior said:

I feel like JS having big security holes isn't new news; Flash is just another application through which JS's script defects can manifest themselves.

Darth Shiv Darth Shiv said:

flannelwarrior said:

I feel like JS having big security holes isn't new news; Flash is just another application through which JS's script defects can manifest themselves.

Flash introduces plenty more than just what JS can or has.

T77 T77 said:

adobe is doing a really good job of putting their responsibility on others shoulders!

maybe they should dump their flash if they cant repair its ever growing vulnerabilities!

Guest said:

So what's the hole exactly? Based on what I read it looks like you could make an application that lets users upload a swf to the server and then serve that same swf up to other users as content. If that's correct then Adobe is right to say it isn't their security issue but an issue with web applications that use that technology. Clearly adobe cannot create a technology that stops servers from serving up swf files. It would be the responsibility of the web application developer to make sure their application does not have this vulnerability. For the record this exact same issue exists with java script , that's why most blogs won't let you include HTML tags in your comments.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.