Adobe Warns of Possible Flash Exploit

Having just integrated Macromedia's Flash Player into its technology portfolio, Adobe today issued a "critical" warning, advising Flash Player users to apply an update to prevent a possible denial of service attack.

The exploit affects what's called Flash remoting - essentially the provision of server-based application services via Flash, as opposed to via HTML, Active Server Pages or some other wrapper. Though an exploit itself has not yet been discovered, Adobe engineers found that a certain form of Flash remoting command sent to ColdFusion servers (another acquired Macromedia technology) triggers an infinite loop process that will not stop itself.

In that state, without the server being able to return to its control program, an attacker could conceivably launch a malicious incursion.

The technical portion of Adobe's bulletin today acknowledged that certain ColdFusion Markup Language (CFML) templates running outside the sandbox -- the protected area for user-level applications -- can place remote procedure calls to ColdFusion components running within a sandbox. If that call was one-way, and not intended to trigger a result, then conceivably, the ColdFusion sandbox might be safe, or "un-littered."

Apparently, that's not what is occurring, although the bulletin did not provide further details.

For an attacker to exploit this vulnerability, Adobe says, a malicious Flash SWF component could need to be loaded into the Flash Player via the Web browser. Such a component may not yet exist, but every time one of these bulletins is issued, as Alan B. Shepard would say, the clock is started.