New Adobe Flaw Being Used in Attacks

May 27, 2008 – 2:00 PM

An unpatched bug in Adobe Systems’ Flash Player software is being exploited by online criminals, Symantec reported Monday.

Few details on the bug are available, but the flaw lies in the latest version of the Adobe Flash Player browser plugin, which is widely used by Internet surfers to view animated Web pages. The flaw affects both the recently released Flash Player version 9.0.124 .0 and version 9.0.115.0, according to an advisory posted Monday to Symantec’s Security Focus Web site.

The flaw lets attackers run unauthorized software on the PC, and if the attack fails for some reason it will likely crash the browser, Security Focus said. Symantec is not aware of any vendor-supplied patches for the flaw, the advisory states.

Flash bugs have lately been a favorite of attackers. Adobe last month patched seven bugs in Flash Player, including the one that allowed hacker Shane Macaulay to win a laptop and US$5,000 for hacking into a Windows Vista machine in a March contest at the CanSecWest security conference.

In January, Adobe and other Web-development-tool vendors had to fix bugs in their development tools that created buggy Shockwave Flash (.swf) files that could be exploited in a cross-site scripting attack. This attack can be used by phishers, but it also gives the bad guys a nearly undetectable route into a victim’s bank account or almost any type of Web service.

When contacted Monday, Adobe could not confirm the details of Symantec’s report.

“We are working with Symantec to investigate the potential SWF vulnerability,” an Adobe spokesman said in an e-mail interview, “and will make more information available as soon as we know more.”

Source: PC World