Adobe Flash Exploit Could Log Keystrokes

Kenyon Lessi writes "Adobe has issued three critical security updates, one of which is designed to stop a problem in the way the Flash player interacts with browsers, which could result in users' keystrokes being transmitted to attackers. The problem affect Adobe Flash Player version 9.0.45.0, 8.0.34.0 and 7.0.69.0, as well as their earlier versions running on all platforms."

Re:Can't trust 'em

[also-rr]

If you don't trust adobe you could always install the open source Flash plugin swfdec. It's come on a lot recently and now plays most things. Hopefully the heavy pace of development will continue - I'm seeing about 5 commits per day adding new stuff on the mailing list.

Does it effect Flash Lite/Wii users?

[Organic+User]

Flash Lite is used on mobile devices. I assume this effects the Flash player on the Wii?

Re:Does it effect Flash Lite/Wii users?

[AKAImBatman]

Does it effect Flash Lite/Wii users?

Since no one else will just answer the darn question, I will.

The answer is that it may technically affect the Wii. However, it is a practically useless exploit on such a device. For one thing, the system does not multitask. So if the only keypresses that could be trapped are the ones already available through Javascript or Flash. Secondly, there are no keypresses. Flash does not receive anything as a keypress, while Javascript is capable of receiving the Wii Remote buttons as if they were "keys".

Information placed in text fields cannot be logged, as it is handled by a "stop-the-world" on screen keyboard. (Oddly, the Flash player does not run while the keyboard is on the screen, but scheduled Javascript events continue to execute in the background. Go figure.) Since neither Flash nor Javascript can interact with this keyboard, the user is pretty safe from having their passwords or credit card information stolen. The only real exploit is the old-fashion social engineering exploit. i.e. Try to get someone to enter their information into a compromised Flash Movie or webpage. Which does not require a security exploit to accomplish. :)

NoScript blocks Flash

[Matt+Perry]

Once again NoScript helps out here since it can block Flash. I don't run Flash on any pages that don't absolutely require it, and I find few that do. Flashblock is another option for Firefox users that only want to block Flash and nothing else. Browse safely everyone.

Flash Player 9 is NOT affected by keystoke logging

From the article: "In versions 7.0.69.0 and earlier running on Linux and Solaris, malicious attackers could exploit an error in the interaction between the Flash Player and certain browsers. That could potentially lead to a leaking of keystrokes to a Flash Player applet, Secunia noted. Flash Player 9 is not affected."

Beautiful, but I guess this is slashdot and no one bothers to read the articles they submit. And yes, 9.0.45.0 still has a serious remote exploit flaw, but mixing these issues together is not the way to go.

Did anyone read the article?

[popo]

This isn't a bug in the latest flash plugin... only older ones.

I for one love the fact that Flash still represents one of the few uniform platforms on the interweb
with extremely limited cross-browser issues.

Re:Confusing Product Names

[AKAImBatman]

Shockwave was Macromedia's original online animation plugin. It is extremely feature-rich and quite fast at what it does. It's also quite large. So when a company called FutureWave created a much smaller vector-graphics competitor, Macromedia bought them out and renamed it "Shockwave Flash" to give the impression that Flash was a subset of their Shockwave technologies. (You'll notice that the Flash movie extension is "SWF". "ShockWave Flash")

In reality, it was all just marketing BS. Flash had enough features to make animation authors (and later game developers) happy, so it quickly replaced the more heavyweight Shockwave. After the acquisition of Macromedia by Adobe, they stopped trying to maintain the charade and simply called it "Adobe Flash". There are still a few vestigial pieces of the software that refer to "Shockwave Flash", but they're slowly disappearing as time goes on.

Re:Great...

[MojoRilla]

You'd think that it would have occurred to them that they were putting a Flash ad on a page discussing a major flaw in Flash.

Why? I'm sure the editorial group uses a CMS to publish these pages, and the standard template has DoubleClick ads in them. DoubleClick may or may serve out Flash ads, based on what is bought and should be served at any particular moment. This allows the advertiser to have a lot of flexibility, as they can buy only 1,000 impressions or 1,000,000 impressions, and have those ads served out over a wide range of pages. It also makes it easy for editorial people to get paid for their work, instead of having to worry about ads on every single page they publish

There are some cases where ads will be pulled or targeted for a specific reason, such as no ads at all on plane crash stories, or no MSN ads on AOL pages. But it would be far too costly to make an exception like that for a flash ad on a page about flash insecurities.

Re:Can't trust 'em

[X0563511]

Thanks for linking to the project webpage which redirects to a wiki. Next time link to the sf.net project page and let us choose to go to the homepage ourselves rather than fight with sf.net.