Flaw Watch: Why Adobe Flash Attacks Matter

Reported Adobe Flash Player attacks got plenty of attention this week. But it's unclear if this was really about a new flaw.

By Bill Brenner, Senior Editor

May 30, 2008 —

About Flaw Watch: Each day, piles of flaw advisories are released by the various vendors, researchers and vulnerability clearinghouses. Since CSOs don't have time to review them all, we zero in on the most pressing issues and what can be done about them.

Vulnerability management experts are constantly telling IT shops to be on the lookout for new zero-day flaws and to take precautions against potential attacks until the vendor releases a patch.

That good advice applies to the Adobe Flash Player exploits that got so much attention this week - even though confusion abounds over whether this concerns a new flaw or something for which a patch was released weeks ago.

As the IDG News Service's Robert McMillan reported, security vendor Symantec Corp. issued grim warnings earlier in the week about a previously unknown and unpatched flaw that was being exploited on tens of thousands of Web pages. The flaw allowed attackers to install unauthorized software on a victim's machine and was being used to install botnet programs and password-logging software, Symantec said.

Thursday, however, Symantec backtracked after Adobe released a statement denying that the matter concerned a new flaw.

In a progress report posted to the official Adobe PSIRT blog, David Lenoe said the exploit "appears to be taking advantage of a known vulnerability, reported by Mark Dowd of the ISS X-Force and wushi of team509, that was resolved in Flash Player 9.0.124.0."

In an update to that blog entry, he said Symantec had confirmed that all versions of Flash Player 9.0.124.0 are not vulnerable to the exploits. Symantec Senior Researcher Ben Greenbaum acknowledged the flaw was previously known and patched by Adobe April 8, though the Linux version of Adobe's stand-alone Flash Player version 9.0.124 was indeed vulnerable to the attack.

In the bigger picture, it's beside the point if this was a new flaw or something older. The reality is that Adobe Flash player was targeted and has been attacked several times before. Since a massive number of people use the application on their work machines, IT security pros need to be concerned.

For a couple of years now, attackers have largely set their sights on application flaws as organizations got better at securing their network perimeters. Multimedia applications like Flash Player, Windows Media Player, Apple QuickTime and RealPlayer have proven to be fertile ground for exploits.

Meanwhile, application attacks have grown more popular in a Web 2.0 universe where companies are increasingly dependent on e-commerce.