Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Flash Exploit Could Log Keystrokes

Posted by CmdrTaco on from the i-thought-adobe-was-good-in-a-wreck dept.

Kenyon Lessi writes "Adobe has issued three critical security updates, one of which is designed to stop a problem in the way the Flash player interacts with browsers, which could result in users' keystrokes being transmitted to attackers. The problem affect Adobe Flash Player version 9.0.45.0, 8.0.34.0 and 7.0.69.0, as well as their earlier versions running on all platforms."

16 of 156 comments (clear)

  1. Great... by 6Yankee · · Score: 5, Funny

    ...and TFA has a Flash ad...

    1. Re:Great... by Cutriss · · Score: 4, Insightful

      You'd think that it would have occurred to them that they were putting a Flash ad on a page discussing a major flaw in Flash. Of course, they just want to get paid and don't really care about you, so I can't say I'm all that surprised.
      Or...maybe the world isn't as evil of a place as you think, and the people writing the article aren't the same people that develop the website? Maybe they don't even know how to use Flash and just write copy?
      --
      "Mod, mod, mod...and another troll bites the dust."
    2. Re:Great... by MojoRilla · · Score: 4, Informative

      You'd think that it would have occurred to them that they were putting a Flash ad on a page discussing a major flaw in Flash.
      Why? I'm sure the editorial group uses a CMS to publish these pages, and the standard template has DoubleClick ads in them. DoubleClick may or may serve out Flash ads, based on what is bought and should be served at any particular moment. This allows the advertiser to have a lot of flexibility, as they can buy only 1,000 impressions or 1,000,000 impressions, and have those ads served out over a wide range of pages. It also makes it easy for editorial people to get paid for their work, instead of having to worry about ads on every single page they publish

      There are some cases where ads will be pulled or targeted for a specific reason, such as no ads at all on plane crash stories, or no MSN ads on AOL pages. But it would be far too costly to make an exception like that for a flash ad on a page about flash insecurities.
  2. Always So Negative by eldavojohn · · Score: 4, Funny
    I know a lot of people are going to find something to complain about with these new bugs--no, wait--features of our beloved and adored Adobe Flash plugin but I think we should turn these lemons into lemonade and recognize all the fun things people can do with a tool like a keystroke logger:
    • Get an extremely accurate analysis of your words per minute in typing.
    • Search through the log and double check that you correctly entered all of your banking account numbers, credit card and personal information on all of your internet forms.
    • Do searches on the log to see if you ever accidentally typed "teh" and how many times that happened.
    • Compare your Letter Frequency to the standard featured in Edgar Alan Poe's The Gold Bug
    As you can see, there are many fun & great things that one can do with the potential of these new key logging features.

    </sarcasm>
    --
    My work here is dung.
    1. Re:Always So Negative by CaptainPatent · · Score: 4, Funny

      Wow... and you typed that post at 55 words per minute!

      --
      Well, back to rejecting software patent applications.
  3. Re:Can't trust 'em by also-rr · · Score: 5, Informative

    If you don't trust adobe you could always install the open source Flash plugin swfdec. It's come on a lot recently and now plays most things. Hopefully the heavy pace of development will continue - I'm seeing about 5 commits per day adding new stuff on the mailing list.

    --
    Think of the Children; Sleep with your Sister
  4. Does it effect Flash Lite/Wii users? by Organic+User · · Score: 4, Informative

    Flash Lite is used on mobile devices. I assume this effects the Flash player on the Wii?

    1. Re:Does it effect Flash Lite/Wii users? by EveryNickIsTaken · · Score: 5, Funny

      This therefore begs the question.. Can a keystroke logger also log waggles?

    2. Re:Does it effect Flash Lite/Wii users? by AKAImBatman · · Score: 4, Informative

      Does it effect Flash Lite/Wii users?

      Since no one else will just answer the darn question, I will.

      The answer is that it may technically affect the Wii. However, it is a practically useless exploit on such a device. For one thing, the system does not multitask. So if the only keypresses that could be trapped are the ones already available through Javascript or Flash. Secondly, there are no keypresses. Flash does not receive anything as a keypress, while Javascript is capable of receiving the Wii Remote buttons as if they were "keys".

      Information placed in text fields cannot be logged, as it is handled by a "stop-the-world" on screen keyboard. (Oddly, the Flash player does not run while the keyboard is on the screen, but scheduled Javascript events continue to execute in the background. Go figure.) Since neither Flash nor Javascript can interact with this keyboard, the user is pretty safe from having their passwords or credit card information stolen. The only real exploit is the old-fashion social engineering exploit. i.e. Try to get someone to enter their information into a compromised Flash Movie or webpage. Which does not require a security exploit to accomplish. :)
      --
      Javascript + Nintendo DSi = DSiCade
  5. NoScript blocks Flash by Matt+Perry · · Score: 4, Informative

    Once again NoScript helps out here since it can block Flash. I don't run Flash on any pages that don't absolutely require it, and I find few that do. Flashblock is another option for Firefox users that only want to block Flash and nothing else. Browse safely everyone.

    --
    Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
  6. Flash Player 9 is NOT affected by keystoke logging by Anonymous Coward · · Score: 5, Informative
    From the article: "In versions 7.0.69.0 and earlier running on Linux and Solaris, malicious attackers could exploit an error in the interaction between the Flash Player and certain browsers. That could potentially lead to a leaking of keystrokes to a Flash Player applet, Secunia noted. Flash Player 9 is not affected."

    Beautiful, but I guess this is slashdot and no one bothers to read the articles they submit. And yes, 9.0.45.0 still has a serious remote exploit flaw, but mixing these issues together is not the way to go.

  7. Back in the old days... by TheTranceFan · · Score: 4, Funny

    You know, back in the old days we only had linear keystrokes, and they worked fine for us. Now it's all about the log keystrokes with the kids these days.

    World's going to hell.

  8. Did anyone read the article? by popo · · Score: 4, Informative

    This isn't a bug in the latest flash plugin... only older ones.

    I for one love the fact that Flash still represents one of the few uniform platforms on the interweb
    with extremely limited cross-browser issues.

    --
    ------ The best brain training is now totally free : )
  9. Re:Confusing Product Names by AKAImBatman · · Score: 5, Informative

    Shockwave was Macromedia's original online animation plugin. It is extremely feature-rich and quite fast at what it does. It's also quite large. So when a company called FutureWave created a much smaller vector-graphics competitor, Macromedia bought them out and renamed it "Shockwave Flash" to give the impression that Flash was a subset of their Shockwave technologies. (You'll notice that the Flash movie extension is "SWF". "ShockWave Flash")

    In reality, it was all just marketing BS. Flash had enough features to make animation authors (and later game developers) happy, so it quickly replaced the more heavyweight Shockwave. After the acquisition of Macromedia by Adobe, they stopped trying to maintain the charade and simply called it "Adobe Flash". There are still a few vestigial pieces of the software that refer to "Shockwave Flash", but they're slowly disappearing as time goes on.

    --
    Javascript + Nintendo DSi = DSiCade
  10. Re:Can't trust 'em by X0563511 · · Score: 4, Informative

    Thanks for linking to the project webpage which redirects to a wiki. Next time link to the sf.net project page and let us choose to go to the homepage ourselves rather than fight with sf.net.

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  11. AMD64 by Sunshinerat · · Score: 4, Funny

    Does Anybody know if the 64 bit Linux version is also affected?

    Oh wait...


    MvE

    --
    Load New Commander (Y/N)?