Adobe Flash exploit could log keystrokes

• Tags:
• Flash,
• Error,
• Solaris,
• Player

Dawn Kawamoto CNET News

Published: 13 Jul 2007 16:34 BST

• 
• 
• 
• 
• 

Adobe has issued three critical security updates, one of which is designed to stop a problem in the way the Flash player interacts with browsers, which could result in users' keystrokes being transmitted to attackers.

Adobe Flash Player 9.0.45.0, 8.0.34.0 and 7.0.69.0, as well as their earlier versions running on all platforms, are affected.

Users loading a malicious vector graphics file format (SWF) in their Flash Player may find attackers exploiting security flaws due to an input validation error in 9.0.45.0 and earlier versions, according to a security advisory from Secunia. Attackers, as a result, can gain remote access to a user's system.

In versions 7.0.69.0 and earlier running on Linux and Solaris, malicious attackers could exploit an error in the interaction between the Flash Player and certain browsers. That could potentially lead to a leaking of keystrokes to a Flash Player applet, Secunia noted. Flash Player 9 is not affected.

Versions 8.0.34.0 and earlier contain a bug due to insufficient validation of the HTTP referer. As a result, an attacker could execute a cross-site forgery attack. Flash Player 9, however, is not affected.

Adobe recommends that 9.0.45.0 users upgrade to 9.0.47.0 for Windows, Mac and Solaris, or 9.0.48.0 for Linux.

Adobe Flash Player 9 is the recommended solution for the other two versions that contain security flaws.

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit

• Most Recent
• Most Popular
• Most Discussed