Remote exploit in Adobe Flash player
Yet another remote code execution vulnerability has been found in the Adobe Flash player plug-in. This time all of versions 7 and 8 are affected on “all platforms” (the current version of Flash player is 9).
Serious vulnerabilities in Flash have been discovered many times before (CVE-2006-3587, CVE-2006-0024, MPSB05-07 and CVE-2002-0477). The interesting thing is that though most of the planet has some version of the Flash Player installed in their browsers, reported vulnerabilities are largely ignored.
Few organizations think about the browser plug-ins they have installed. They may be aware that things like Flash, Java and Adobe PDF viewer are installed but few seem to keep records of the version or have ways to deal with them in their patch management system. The stats I see on web sites we manage show that about 90% of the visitors are running the vulnerable versions 7 or 8 of Flash player.
This is another security blind spot. Flash vulnerabilities never seem to get much exposure. It may because the idea that Flash was completely safe became accepted ten years ago when it was first introduced. PDF files enjoy that same status… most think of PDFs as inert read-only file types, yet for several years authors have been able to embed scripting, executables and exploitable Windows multimedia in them. (Interesting experiment: if you have a copy of Acrobat, embed some malware inside a PDF and see if your anti-virus systems detect it. Many AV systems are either incapable of scanning PDFs or are configured to ignore that file type)
Anyway, the official vulnerability announcement from Adobe is found here. Update your systems soon.
Related posts: