Most Popular
| Top Stories | Commented | Featured |
ATI Radeon HD 5570 Review featured
AMD's six-core Thuban to have feature like Turbo Boost?
Google to launch Twitter-like service for Gmail
Intel unveils Itanium 9300 series enterprise processors
Intel Core i5-based MacBook Pros coming soon?
Netflix to roll out 1080p streaming later this year
China closes major hacker ring, arrests three members
Sharp and Samsung end LCD patent suits with cross-licensing agreement
TechSpot RSSThe Web
Dangerous "unpatchable" flaw discovered in Adobe Flash
A newly discovered flaw in the Flash suite could put both users and servers at risk, according to some recent reports. Adobe has verified the hole, which lies inside any Flash-based application that allows people to upload their own content. Though some details are omitted, the flaw would allow someone to upload a malicious Flash object to a site, which in turn would be downloaded and processed by people visiting the site. According to one security expert, any site relying on user uploads through Flash could be vulnerable.
Adobe is contending that it is not entirely their issue. Other active scripting could also be made vulnerable, such as JavaScript or Silverlight, along with any site that relies on these to provide a mechanism for users to upload files. Because of that, Adobe said the problem is not fixable through a Flash update. Instead, it is on the shoulders of administrators whose servers use Flash. Adobe also suggests it is the responsibility of app developers to be security-minded and prevent this sort of thing from happening.
This isn't the first severe flash flaw to emerge this year. Only a few months ago, a "critical" vulnerability was discovered and published. Earlier in the year, Adobe was tackling a host of other security issues with Flash as well. This newly-discovered vulnerability could prove to be the worst yet -- and it doesn't help that Adobe is claiming the flaw is "unpatchable". A solution must be discovered, but it may be something that has to happen on a developer, browser or OS level instead of through Flash.
Adobe is contending that it is not entirely their issue. Other active scripting could also be made vulnerable, such as JavaScript or Silverlight, along with any site that relies on these to provide a mechanism for users to upload files. Because of that, Adobe said the problem is not fixable through a Flash update. Instead, it is on the shoulders of administrators whose servers use Flash. Adobe also suggests it is the responsibility of app developers to be security-minded and prevent this sort of thing from happening.
This isn't the first severe flash flaw to emerge this year. Only a few months ago, a "critical" vulnerability was discovered and published. Earlier in the year, Adobe was tackling a host of other security issues with Flash as well. This newly-discovered vulnerability could prove to be the worst yet -- and it doesn't help that Adobe is claiming the flaw is "unpatchable". A solution must be discovered, but it may be something that has to happen on a developer, browser or OS level instead of through Flash.
User Comments (12)
Post a comment| tengeta on November 13, 2009 4:39 PM | Its cool how Adobe bought out Flash and then turned it into an even bigger vulnerability than Windows itself. |
| xclusiveitalian on November 14, 2009 12:42 AM | There going to have to release a whole new version asap thanks for the notice! |
| IvanAwfulitch on November 14, 2009 3:25 AM | Lol. No, seriously. LOL! An unpatchable flaw and they only just found it? Adobe has been out there for how long? I can understand that it might be a roundabout way to hack it, but all it takes is uploading malicious code! That's as easy as it gets! Good job, Adobe. I applaud your inadequacy. |
| Kibaruk on November 14, 2009 7:44 AM | Like it says, it's not entirely adobes, but the add of some other scripting that generates the blackhole. |
| Guest on November 14, 2009 10:08 AM | This give new hope to the migration from flash... I just cant wait for HTML5 to replace the need for flash player (Google need to set an example, by making youtube flash free ... I love the HTML5 youtube demo page). |
| Guest on November 14, 2009 5:00 PM | Riiiight.. This is really non-news. Honestly, I have never
even HEARD of a website that utilizes Flash to allow users
to upload content for other users to download. Are you
kidding me? How is this even exploitable? Someone name me
a single site that does this. If there is such a thing,
then all they need to do is use some other method for
distribution. Simple-as-all-hell-fix. Also, the article mentions that other things involving scripting (Actionscript is VERY similar to java script ) can suffer from similar back doors. But honestly, how is this even considered a threat? There are so many prerequisites that I feel like this article is merely embracing sensationalism in the pursuit of a story. Bah. |
| Guest on November 14, 2009 8:16 PM | Read the article again- it's not about using flash to upload
content, it's about uploading malicious flash objects.
According to a followup from the researcher, Adobe has 4 or
5 of these vulnerabilities on their own servers. Other
demonstrations of vulnerable sites included Gmail and other
popular web applications. Not exactly non-news. |
| rgdot on November 15, 2009 12:34 AM | Like pointed out...can't wait for HTML 5. A very large percentage of my 'exposure' to flash is youtube. |
| flannelwarrior on November 15, 2009 2:38 PM | I feel like JS having big security holes isn't new news; Flash is just another application through which JS's script defects can manifest themselves. |
| Darth Shiv on November 16, 2009 1:08 AM | flannelwarrior said: Flash introduces plenty more than just
what JS can or has.
I feel like JS having big security holes isn't new news; Flash is just another application through which JS's script defects can manifest themselves. |
| T77 on November 16, 2009 8:41 AM | adobe is doing a really good job  of putting their
responsibility on others shoulders!maybe they should dump their flash if they cant repair its ever growing vulnerabilities! |
| Guest on November 17, 2009 6:53 PM | So what's the hole exactly? Based on what I read it looks like you could make an application that lets users upload a swf to the server and then serve that same swf up to other users as content. If that's correct then Adobe is right to say it isn't their security issue but an issue with web applications that use that technology. Clearly adobe cannot create a technology that stops servers from serving up swf files. It would be the responsibility of the web application developer to make sure their application does not have this vulnerability. For the record this exact same issue exists with java script , that's why most blogs won't let you include HTML tags in your comments. |
