Flash Vulnerability Found, Adobe Says No Fix Forthcoming

An anonymous reader writes "Security researchers at Foreground Security have found an issue with Adobe Flash. Any site that allows files to be uploaded could be vulnerable to this issue (whether they serve Flash or not!). Adobe has said that no easy fix exists and no patch is forthcoming. Adobe puts the responsibility on the website administrators themselves to fix this problem, but they themselves seem to be vulnerable to these problems. Every user with Flash installed is vulnerable to this new type of attack and — until IT administrators fix their sites — will continue to be."

the article is bullshit.

[tomhudson]

Example from the article:

"All they need to do is create a malicious Flash object, and upload it to the [Web] server."

He used the example of a company that lets users upload content to a message forum to explain the process. "If the user forum lets people upload an image for their avatar, someone could upload a malicious Flash file that looks like an avatar image," Bailey said. "Anyone who then views that avatar would be vulnerable to attack."

Since when are you going to allow someone to upload an swf for an avatar. It's going to get creamed when you resize it via php anyway.

This is the same "vulnerability" you'd have by allowing people to upload php code, or perl code, or javascript, to your server and you sending it out without doing ANY validation.

In other words, it's not a vulnerability, it's a symptom of totally bonehead design and someone looking for page hits.

What next - "All Windows Versions of Apache Vulnerable To .EXE Exploit" - where they'll say that if you allow people to upload .exe files to your site and blindly execute them, BAD THINGS (TM) will happen?

This belongs in idle.slashdot.org - it's not news, it's so bad it's not even wrong.