Alert: Really Bad Adobe Flash Exploit. Update Now!

Go grab a new version of Adobe Flashplayer now, or risk getting your box hacked and rootkitted by over 20,000 websites that have malicious Flash code.

Do you have a link to a news article?

Bah, found one. It doesn’t mention whether this affects Macs or just Windows.

As McAfee reports, this vulnerability turns out to be very similar to another recent one, CVE-2007-0071, which affected Adobe Flash Player and earlier. Adobe has declared that it is, in fact, the same vulnerability and that the current version,, is not vulnerable. SecurityFocus has gone so far as to retire their entry on it.

But McAfee and others point out persistent reports that this exploit is affecting subsequent versions which were supposed to fix the problem. For this reason we see a lot of advice on how to disable Flash mixed in with advice to update to We recommend upgrading to this version regardless of whatever else you do.


And to verify what version you currently have:

Is this fixed yet? According to the article, is vulnerable, and that’s what they’re distributing at

From Adobe:

UPDATE: We’ve just gotten confirmation from Symantec that all versions of Flash Player are not vulnerable to these exploits.

Naturally these exploits are used to grab WoW passwords. Now one of the articles stated that using Google, nearly 250K websites had the malicious code. I’m glad to see that they fixed this; maybe now some people will realize that it’s not just the victims’ fault.

Also, if you’re a Firefox user, I cannot stress enough the helpfulness of the Noscript addon. It will specifically block everything (including Flash banners) until you tell it to.

Anything which forces people to upgrade their Player version is alright with me.

Just downloaded this, besides the security fixes what does this update do?

You should be safe with Vista, since of course you didn’t install Flash with elevated privileges.

Fixes and Improvements in Flash Player

Adobe Flash Player includes security enhancements described in Security Bulletin APSB08-11.

Cross-domain network headers are now allowed through the use of cross-domain policy files. The cross-domain policy file is required for both sending and loading requests.

All socket connections now require the use of a socket policy file. HTTP cross-domain policy files can no longer be used to authorize a socket. This change is described in Security changes in Flash Player 9.

SWF7 content loaded in Flash Player will now have a default AllowScriptAccess setting of “sameDomain”. For additional information on the security changes and to learn if your content is affected, please see the Flash Player Developer Center.
Fixed in this version:

* A media streaming security vulnerability was fixed in both Flash Player and Flash Media Server. As a result, Flash Media Interactive Server 3 and Flash Media Streaming Server 3 customers who are streaming H.264 content to Flash Player or higher will need to upgrade their server to version 3.0.1. (1688970)
* When html/SWF is in the local sandbox, getURL('javascript:.....') calls fail with Flash Player in IE7. These calls will no longer fail in (214359)
* A run-time warning has been added to the debug player in version to reflect that AllowScriptAccess=”never” has been deprecated. (217472)
* Full-screen playback shows black triangles in Flash Player on ATI cards on Microsoft Vista. (213941)
* Authorization header has been reinstated in Flash Player

Known issues

For a comprehensive list of emerging and known issues, please visit the Flash Player Support Center.

* Flash Player cannot progressively load files that are greater than 2Gb (210223)
* UILoader ignores scaleContent when content is loaded through loadBytes (209828)
* Memory utilization could substantially increase when large numbers of bitmaps that are subject to mipmapping are loaded (205555).
* Flash Player supports up to 30 frames per second playback for video.
* Opera and Netscape do not allow recursive calls using the ExternalInterface API into the Flash Player. This issue has been reported to Opera and Netscape. (184777)
* In certain browsers, full-screen does not render correctly when the window is split between two monitors where one monitor has a higher resolution than the other. (210161)
* Socket connecting to port under 1024 throws ioError, not securityError (209795)
* When using the Flex profiler, if FlashPlayerTrust is incorrectly created as a file, the Flex profiler will crash. Please ensure FlashPlayerTrust is properly configured as a directory. (203879)
* On the Windows standalone Flash Player, empty POST actions are changed to GET. (85982)
* Subsequent loads of ActionScript 2.0 SWFs containing components into a parent ActionScript 3.0 SWF may cause some components to break. The components will work on the first load, but loading new, or unloading ActionScript 2.0 components of the same class may exhibit this behavior. (176101)
* Developers should not rely on garbage collection if immediate clean up of active objects, such as display objects, streams and media, is expected. Use the appropriate ActionScript 3.0 APIs (close, removeEvent Listener, etc.) to get immediate behavior when cleaning up active objects.
* The delete operator is intended to remove properties of an object, and cannot be used to remove members of a class. For more details on the delete operator, see the ActionScript 3.0 Language Reference.
* Flash Player sound input does not work for OSX Audio MIDI sample rate settings higher than 48Khz. The microphone will either record noise or nothing. Some third party applications and MIDI breakout boxes will change the systemwide Audio settings on launch, and fail to return settings to default on close. To workaround this issue, go to Applications-> Utilities-> Audio MIDI Setup. Select Sound Input and change the properties for the 'Built-in Input' and/or 'Built-in Microphone' to a setting less than or equal to 48Khz. (160350)
* The standalone player cannot self-register SWF and FLV file associations under Vista without administrator privileges.  Workaround: Users should launch SAFlashPlayer.exe once with administrator privileges by right-clicking on the EXE and selecting “Run as administrator” so it can correctly set the registry properties. (183319)
* Bitmap effects and filters cannot be printed. (185581)
* Button label text may not redraw correctly upon exiting full screen mode. User must mouse over the text to force the redraw. (185459)
* Transform Matrix transformations are not reflected in respective MovieClip/DisplayObject properties. Properties like scaleX, scaleY, and rotation are not changed as the result of changes to a DisplayObject's transformation matrix (flash.geom.Transform, flash.geom.Matrix). However, changes to those properties are reflected in the matrix. If you change a property after changing the matrix, the matrix also resets to its original value. Affects ActionScript 2.0 and ActionScript 3.0. Workaround: If using matrix transformations, avoid using scaleX, scaleY, and rotation in favor of their respective matrix transformations.
* Triggering stage.invalidate() during a “render” event listener fails. (184574)
* Empty strings passed through External Interface API via JavaScript are converted to null. (184474)
* Some users are experiencing sound problems under Windows due to lack of support for WaveOut with drivers for some video cards, such as Realtek and SoundMax. (184367)
* Launching the context menu when in full-screen mode may temporarily reduce FLV video playback performance on Macintosh systems. (189059)
* Although full-screen mode does not support text input, the text input cursor will display over input text fields.  Workaround: dynamically convert input fields to dynamic text fields or disable TextInput components when in full-screen mode. (182474)

Thanks for the quick note Kong.

And don’t forget the firefox flashblock addon, which won’t run any flash until you click on the button with which it replaces the applet, or whatever you call the spot on the page where it runs. This is great for those crappy sites with annoying flash zapping all over the place interfering with the content, and you can always toggle it off if you need to.

BTW - how do you know if you’re computer’s been affected? I’d guess tghe A/V makers aren’t up-to-date with this yet?

Oh yeah, I don’t know if this is still true with current versions of Flash…

But it used to be the case, that Flash apps had free access to camera, microphone, and some other system devices. Combine that with Flash’s network access, and you have a recipe for hilarity even without any actual vulnerabilities or exploits. As of a few years ago, Adobe had what amounted to a secret control panel web page to disable these features, as they didn’t advertise the page in the distribution itself, so hardly anyone ever turned it off. I’m not aware of any hacks that used this capability, but better safe than sorry…

Pause for research…

ZOMGs, it’s still there. Check out:

Adobe Settings Manager

Edit again: Oh wait, that’s a web page. It’s possible it’s an orphan page that was never removed from the server. Oops. Leaving the original post as an amusing record of the problem, at least.

Last night when I went to log in to WoW the MotD said “omgz get new flash or hax0rs will be on teh yu0r pc”.

Thanks for the warning, new Flash versions installed on both browsers!

I was actually a victim of this! One day I log on to WoW and I notice I had 6 new characters, all on different servers. My gold remained intact but I had my chatting privileges revoked, as obviously they were spamming chat with gold ads. The next day my account was suspended pending GM review and possible closure. Thankfully two days later my account was restored with a password change.

Slightly offtopic, but I managed to get a WoW password virus (amvo.exe) on my desktop and laptop a couple of days ago, transmitted on a USB stick that I’d used on a colleague’s computer to transfer some work files. Fortunately I don’t play WoW anymore, but it’s slowed my laptop down to a fucking crawl - approx. 4 mins to boot Windows, and about 8 mins to copy 100 Mb of files on my USB card. I’ve gotten rid of the virus apparently (all instances and behaviour have been eliminated) apart from the massive slowdown.