RSSAdobe Warns of Possible Flash Exploit
By Scott M. Fulton, III | Published September 12, 2006, 5:28 PM
Having just integrated Macromedia's Flash Player into its technology portfolio, Adobe today issued a "critical" warning, advising Flash Player users to apply an update to prevent a possible denial of service attack.
The exploit affects what's called Flash remoting - essentially the provision of server-based application services via Flash, as opposed to via HTML, Active Server Pages or some other wrapper. Though an exploit itself has not yet been discovered, Adobe engineers found that a certain form of Flash remoting command sent to ColdFusion servers (another acquired Macromedia technology) triggers an infinite loop process that will not stop itself.
In that state, without the server being able to return to its control program, an attacker could conceivably launch a malicious incursion.
The technical portion of Adobe's bulletin today acknowledged that certain ColdFusion Markup Language (CFML) templates running outside the sandbox -- the protected area for user-level applications -- can place remote procedure calls to ColdFusion components running within a sandbox. If that call was one-way, and not intended to trigger a result, then conceivably, the ColdFusion sandbox might be safe, or "un-littered."
Apparently, that's not what is occurring, although the bulletin did not provide further details.
For an attacker to exploit this vulnerability, Adobe says, a malicious Flash SWF component could need to be loaded into the Flash Player via the Web browser. Such a component may not yet exist, but every time one of these bulletins is issued, as Alan B. Shepard would say, the clock is started.
Why fix it when you want everyone to stop using 8 and upgrade to 9 anyways...
Score: 0
Maybe I'm missing something here, but the vulnerability in Adobe's Article references a *CRITICAL* vulnerability in Flash Player affecting all Browsers across all Platforms.
never mind the ColdFusion issue.....
Score: 0
Version: 9,0,16,0
Browser: Firefox, Mozilla, Netscape, Opera, and CompuServe
Date Posted: 6/27/2006
So, what, Adobe has known about this for 3 months now and just decided to post?
Flash is probably the most impervious client side product that can be hit by a security issue. It's installed in almost more machines than windows, according to adobe. Scary...
Score: 0
"So, what, Adobe has known about this for 3 months now and just decided to post?"
So you'd rather them post it 3 months before they have a patch to fix it?
Score: 0