Unpatcahable Flash Flaw is ‘Frighteningly Bad Thing'
Foreground Security has uncovered a flaw in Adobe Flash that would allow an exploiter to compromise sites that allow uploading of content and then launch silent attacks on site visitors. Adobe told Foreground that this flaw is unpatchable and is instead relying on education to help site admins to close the hole on their end.
Foreground Security has uncovered a flaw in Adobe Flash that would allow an exploiter to compromise sites that allow uploading of content and then launch silent attacks on site visitors. Adobe told Foreground that this flaw is unpatchable and is instead relying on education to help site admins to close the hole on their end.
The problem lies in the Flash ActionScript same-origin policy, which is designed to limit a Flash object's access to other content only from the domain it originated from, added Mike Bailey, a senior security researcher at Foreground. Unfortunately, said Bailey, if an attacker can deposit a malicious Flash object on a Web site -- through its user-generated content capabilities, which typically allow people to upload files to the site or service -- they can execute malicious scripts in the context of that domain. "This is a frighteningly bad thing," Bailey said.
