Perhaps this message should read "in order to get 0wn3d, download Adobe Flash Player."
If you use a browser fitted with an Adobe Flash plugin, you might want to think about updating your software if you value your security.
According to an announcement by the United States Computer Emergency Response Readiness Team
(or US-CERT), the latest version of Adobe's popular Flash Player 9 has a flaw which is currently being exploited to install malicious software on unsuspecting web users' PCs.
All version of Flash 9 prior to the very latest release, version 184.108.40.206, are vulnerable to the attack which exploits a flaw in ActionScript 3.0, a feature introduced in version 9 of the popular rich media player. To take advantage of the security hole that ActionScript 3.0 introduced, all a cracker needs to do is somehow point you toward a website containing an embedded SWF file containing the exploit code. When this file is played via the browser, it will download and install whatever malware the cracker wants.
Adobe has announced that the vulnerability, which has been assigned the code CVE-2007-0071 on the Common Vulnerabilities and Exposures project, has been resolved as of Flash Player 220.127.116.11. If you haven't upgraded Flash Player in the last few days, now would be a very
good time to do so. If you're not sure what version you're running, Adobe has a useful version checker
on its website.
This isn't the first time a technology designed to bring music and video to websites has been used as an attack vector by ne'er-do-wells, and due to the complexity of the software involved it's unlikely to be the last. Although updating your software regularly helps mitigate the effects of flaws such as this, prevention is always better than cure – using a browser such as Firefox
in conjunction with the NoScript
add-on can protect you from a wide range of web-based attacks on untrusted websites even before the vulnerabilities are discovered.
Anyone here had their system do funny things after visiting a dodgy Flash-laden website, or do we all disable such frippery by default? Share your thoughts over in the forums