Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Adobe Flash Exploit Could Log Keystrokes

Posted by CmdrTaco on Mon Jul 16, 2007 10:55 AM
from the i-thought-adobe-was-good-in-a-wreck dept.
Security
Kenyon Lessi writes "Adobe has issued three critical security updates, one of which is designed to stop a problem in the way the Flash player interacts with browsers, which could result in users' keystrokes being transmitted to attackers. The problem affect Adobe Flash Player version 9.0.45.0, 8.0.34.0 and 7.0.69.0, as well as their earlier versions running on all platforms."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Adobe Flash Exploit Could Log Keystrokes 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Great... (Score:5, Funny)

    by 6Yankee (597075) on Monday July 16 2007, @10:58AM (#19877087)
    ...and TFA has a Flash ad...

    • Full Article (Score:3, Informative)

      by Anonymous Coward
      Adobe Flash exploit could log keystrokes
      By Dawn Kawamoto [mailto], CNET News.com
      16/07/2007
      URL: http://www.zdnetasia.com/news/security/0,39044215, 62028443,00.htm [zdnetasia.com]

      Adobe has issued three critical security updates [adobe.com], one of which is designed to stop a problem in the way the Flash player interacts with browsers, which could result in users' keystrokes being transmitted to attackers.

      Adobe Flash Player 9.0.45.0, 8.0.34.0 and 7.0.69.0, as well as their earlier versions running on all platforms, are affected.

      Users

    • Sorry, a *what" ? (Score:4, Informative)

      by DrYak (748999) on Monday July 16 2007, @12:25PM (#19878307) Homepage

      and TFA has a Flash ad...


      Sorry a Flash-what ?

      Oh, it must be one of those things we are missing, as users of :

      Adblock [mozilla.org] plugin (stops ads, be it Flash, Javascript or plain pictures)
      Adblock+ [mozilla.org] plugin (fork with different features but similar purpose)
      Adblock Filterset.G updater [mozilla.org] plugin (updates the whitelist/blacklist of the above - no more need to configure manually, just install and forget)

      or NoScript> [mozilla.org] plugin (selectively inhibits Javascript, Java and Flash following whitelist/blacklist),
      FlashBlock [mozilla.org] plugin (prevent Flash embeds to auto-start. User must click on place holders to start them),

      or Gnash [gnashdev.org] GPL Flash player (GNU page [gnu.org]) (an Open source player which, not only has an option to prevent flash from autostarting, but also isn't probably even affected by the exploit of TFA),
      SWFDec [freedesktop.org] GPL Flash decoding library (another opensource plugin for browsers which probably isn't affected by the exploid either),
      or not installing a Flash player at all and using SaveTube [savetube.com] to watch flashvideos.

      I think most geeks haven't seen an ad for years and have anyway many mean at their disposition to avoid being exploited by flash bugs.

      • Yeah, I have Flashblock, actually. Doesn't mean I don't know an ad when I see one (or its placeholder), you smug smartass.

      • Re:Great... (Score:5, Insightful)

        by Cutriss (262920) on Monday July 16 2007, @11:35AM (#19877523) Homepage

        You'd think that it would have occurred to them that they were putting a Flash ad on a page discussing a major flaw in Flash. Of course, they just want to get paid and don't really care about you, so I can't say I'm all that surprised.
        Or...maybe the world isn't as evil of a place as you think, and the people writing the article aren't the same people that develop the website? Maybe they don't even know how to use Flash and just write copy?
          • maybe it's part of their defense. If some on gets hacked because of that banner ad, Adobe could say "Hey we warned you"

      • Re:Great... (Score:5, Informative)

        by MojoRilla (591502) on Monday July 16 2007, @11:44AM (#19877625)

        You'd think that it would have occurred to them that they were putting a Flash ad on a page discussing a major flaw in Flash.
        Why? I'm sure the editorial group uses a CMS to publish these pages, and the standard template has DoubleClick ads in them. DoubleClick may or may serve out Flash ads, based on what is bought and should be served at any particular moment. This allows the advertiser to have a lot of flexibility, as they can buy only 1,000 impressions or 1,000,000 impressions, and have those ads served out over a wide range of pages. It also makes it easy for editorial people to get paid for their work, instead of having to worry about ads on every single page they publish

        There are some cases where ads will be pulled or targeted for a specific reason, such as no ads at all on plane crash stories, or no MSN ads on AOL pages. But it would be far too costly to make an exception like that for a flash ad on a page about flash insecurities.
  • I know a lot of people are going to find something to complain about with these new bugs--no, wait--features of our beloved and adored Adobe Flash plugin but I think we should turn these lemons into lemonade and recognize all the fun things people can do with a tool like a keystroke logger:
    • Get an extremely accurate analysis of your words per minute in typing.
    • Search through the log and double check that you correctly entered all of your banking account numbers, credit card and personal information on all of your internet forms.
    • Do searches on the log to see if you ever accidentally typed "teh" and how many times that happened.
    • Compare your Letter Frequency [wikipedia.org] to the standard featured in Edgar Alan Poe's The Gold Bug
    As you can see, there are many fun & great things that one can do with the potential of these new key logging features.

    </sarcasm>

    • Re:Always So Negative (Score:5, Funny)

      by CaptainPatent (1087643) on Monday July 16 2007, @11:05AM (#19877165) Journal
      Wow... and you typed that post at 55 words per minute!

    • Re: (Score:2, Insightful)

      by monk.e.boy (1077985)

      they should Open Source the player. That would solve most of their problems.

      The only bit that is worth anything is the Flash IDE designer thingy.

      If it was opensource it'd be a great stop gap between HTML + JS (now) and HTML + SVG + JS (future). It'd also help fight Silverlight, which is gunna take over the world if we aren't careful :-(

      Any other ideas for spreading multi-media web without using Java (ugh) Flash (ugh) or Silverlight (hm...)?

      monk.e.boy

    • Re: (Score:3, Interesting)

      by UbuntuDupe (970646) *
      This sounds kind of like the "exploit" in Second Life, where you can script objects to listen for commands from users, which necessarily allows you to script listening bugs -- just have it listen for whatever people say near it, and IM the results back to you. I actually wrote a few of these and ended up finding out not-too-cool things people were saying about me.

      Anyone know if they've fixed this somehow?
      • That's impossible to 'fix' by the nature of the world. If you want an object to listen for another object, you set up a listener filtered to the other object's specific name or key. There's no permissions system for general chat beyond channels, and it'd be a MAJOR inconvenience if any object had to get permission from all parties within 96m of it to listen to them.
        Speaking on channel 0 is identical to speaking in public; anyone can hear you, anyone can record what you're saying. It's still a legal violatio

  • Time to update! (Score:3, Funny)

    by Anonymous Coward on Monday July 16 2007, @11:05AM (#19877171)
    Time to update Adobe Updater so it can download the new updates!

    http://www.agavegroup.com/images/articles/adobeUpd ater.gif [agavegroup.com]

  • Does it effect Flash Lite/Wii users? (Score:4, Informative)

    by Organic User (1103717) on Monday July 16 2007, @11:07AM (#19877193)
    Flash Lite is used on mobile devices. I assume this effects the Flash player on the Wii?
    • This therefore begs the question.. Can a keystroke logger also log waggles?

    • Does it effect Flash Lite/Wii users?

      Since no one else will just answer the darn question, I will.

      The answer is that it may technically affect the Wii. However, it is a practically useless exploit on such a device. For one thing, the system does not multitask. So if the only keypresses that could be trapped are the ones already available through Javascript or Flash. Secondly, there are no keypresses. Flash does not receive anything as a keypress, while Javascript is capable of receiving the Wii Remote buttons as if they were "keys".

      Information placed in text fields cannot be logged, as it is handled by a "stop-the-world" on screen keyboard. (Oddly, the Flash player does not run while the keyboard is on the screen, but scheduled Javascript events continue to execute in the background. Go figure.) Since neither Flash nor Javascript can interact with this keyboard, the user is pretty safe from having their passwords or credit card information stolen. The only real exploit is the old-fashion social engineering exploit. i.e. Try to get someone to enter their information into a compromised Flash Movie or webpage. Which does not require a security exploit to accomplish. :)

  • NoScript blocks Flash (Score:5, Informative)

    by Matt Perry (793115) on Monday July 16 2007, @11:20AM (#19877345)
    Once again NoScript [noscript.net] helps out here since it can block Flash. I don't run Flash on any pages that don't absolutely require it, and I find few that do. Flashblock [mozilla.org] is another option for Firefox users that only want to block Flash and nothing else. Browse safely everyone.
    • But what about spam? I know that most of us here wouldn't click the link. But I've seen spam that was supposed to be from bluemountain [bluemountain.com] that had this exploit in it. Of course the headers told a different story (it originated in Poland), but my point is that you've got the usual gang of idiots that will click any link in an email if they think "Oooo, Mom send me another e-card".

  • Monopoly (Score:4, Informative)

    by plams (744927) on Monday July 16 2007, @11:22AM (#19877379) Homepage

    The Flash monopoly is probably worse than the Internet Explorer monopoly (which is slowly dissolving). While the file format is semi-open to the public you have to agree on a license that prevents you from writing your own Flash player from the documentation - it only allows you to write exporters. When you get past that you'll find a file format that is hideously obfuscated. Variable bit length integers means that your data isn't even byte-aligned. The documentation does very little to help you figure out why a seemingly valid Flash file just doesn't render correctly in the player.

    It pisses me off because Flash really has a lot of exciting stuff to offer, yet they can run the development at their own pace, writing shitty players with security holes (not to mention that they're still software rendering graphics in year of 2007). Even though my primary computer has Linux installed I find myself hoping that the new Windows Silverlight [wikipedia.org] will give Flash a lot of healthy competition. It doesn't seem like any opensource projects are close to rivaling Flash yet.

    • Re: (Score:2, Insightful)

      by WIAKywbfatw (307557)
      Even though my primary computer has Linux installed I find myself hoping that the new Windows Silverlight will give Flash a lot of healthy competition.

      You're hoping that Flash will be displaced by Silverlight, a Microsoft offering? Seriously?

      Say what you want about Adobe but at least Flash is available for more than Windows and OSX, which are the only two OSes that Silverlight will be available on.

      Not only do Adobe produce Linux players, they also produce a Solaris player. Good luck trying to get either of
      • I didn't say that I wanted Flash to be killed off by Silverlight just that I wanted the competition (I agree that may be a dangerous thing to wish for when the competition is Microsoft). Also, last I checked (when it was under the name WPF/E) Microsoft claimed they'd write a player for Linux too - they seem to have dropped that :(. On another note, I just discovered JavaFX which seems like an exciting 3rd contender. Too bad it's still in alpha, but open source competition for Flash is what I'm really lookin
        • No, as far as I'm aware, Microsoft haven't got a Linux player yet.

          They've said that they'll develop the Windows and MacOS players first and then, at some time in the future, they'll eventually release a Linux player. Call me a cynic but I think that Linux player will either A) never see the light of day; or B) be very poorly coded and virtually unsupported.

          But, to be honest, do you want browsers (and web developers) bogged down by even more stuff? Yet another file format that adds nothing to the party doesn

      • Re: (Score:3, Insightful)

        by TheRaven64 (641858)
        Look at IE between killing off NetScape and FireFox becoming popular. Now compare that to IE when it had competition from NetScape and later FireFox. I don't want SilverLight to win, but I'd much rather Flash had some competition, because competition helps encourage innovation.

      • Silverlight will give Flash a lot of healthy competition != will be displaced by Silverlight

        I *think* the op believes that such competition will be beneficial to the end users ... having a choice often is... I may be wrong...

    • The currently under active development alternatives are :
      • Gnash [gnu.org] - (project development page [gnashdev.org])
        an open-source project which develops a Flashplayer which can be run stand-alone, be swallowed inside web browser using appropriate plug-ins, or integrated in bigger project using extensions. Supports OpenGL and Cairo as hardware accelerated renderer. Also, has an option not to auto-start playing the flash crapnimations.
      • SWFDec [freedesktop.org]
        an open-source library for decoding flash, which also comes with a browser plugin.

      T

  • Flash Player 9 is NOT affected by keystoke logging (Score:5, Informative)

    by Anonymous Coward on Monday July 16 2007, @11:23AM (#19877401)
    From the article: "In versions 7.0.69.0 and earlier running on Linux and Solaris, malicious attackers could exploit an error in the interaction between the Flash Player and certain browsers. That could potentially lead to a leaking of keystrokes to a Flash Player applet, Secunia noted. Flash Player 9 is not affected."

    Beautiful, but I guess this is slashdot and no one bothers to read the articles they submit. And yes, 9.0.45.0 still has a serious remote exploit flaw, but mixing these issues together is not the way to go.

    • What kind of sucks is that Flash 9 for Solaris is only available for Solaris 10, though there may be a way of getting the necessay libraries on Solaris 9. OTOH, Solaris 10 has enough advantages for desktop users (who would need Flash on a server?) so that's not a huge limitation.


      There are some issues with Flash video on Mozilla 1.7 on Sparc, which do not occur with Firefox on Sparc.

  • Quality (Score:3, Interesting)

    by Reality Master 101 (179095) <RealityMaster101.gmail@com> on Monday July 16 2007, @11:26AM (#19877423) Homepage Journal

    You know, to be fair to Flash, I have to say that it's an incredibly well-written application overall. It's very small to download and it works very well. Heck, they actually made video consistently work on the Internet! I think you can make an argument that they are solely responsible for making video sites like YouTube viable. All video STILL sucks except for Flash.

    Of course, the quality of Flash is a different question from how it's abused. :) [personally, I don't mind Flash all that much.]

    • Re: (Score:2, Interesting)

      by Anonymous Coward
      So well written that they couldn't port it to 64bit platforms without rewriting the underlying script host from the ground up. [mozilla.org]

      That's some "Real Quality Software" right there and it's great that flash is so instrumental in furthering the promise of an open, accessible web. How I wish every web page was a chunk of executable bytecode.

      • So well written that they couldn't port it to 64bit platforms without rewriting the underlying script host from the ground up.

        Portability (which has multiple dimensions) is not a measure of quality, it is a design goal that may or may not be part of the goals of a project.

    • Re: (Score:3, Interesting)

      by TheRaven64 (641858)
      There are a few projects that really show up Java. One is Flash. Another is Squeak, which manages to run Smalltalk fast enough that you can run video CODECs written in Smalltalk on it even on slightly old hardware. I think the Squeak team really dropped the ball on the whole web thing; a Squeak plugin could have been an incredible platform for rich client-side development (Squeak is still one of the best development environments around), but they concentrated on desktop replacement instead.

  • Back in the old days... (Score:5, Funny)

    by TheTranceFan (444476) on Monday July 16 2007, @11:26AM (#19877439) Homepage
    You know, back in the old days we only had linear keystrokes, and they worked fine for us. Now it's all about the log keystrokes with the kids these days.

    World's going to hell.

  • Did anyone read the article? (Score:5, Informative)

    by popo (107611) on Monday July 16 2007, @11:30AM (#19877475) Homepage
    This isn't a bug in the latest flash plugin... only older ones.

    I for one love the fact that Flash still represents one of the few uniform platforms on the interweb
    with extremely limited cross-browser issues.
  • Down left down down space space right up space space space space esc

  • Positive thinking (Score:3, Funny)

    by TheDarkener (198348) on Monday July 16 2007, @11:41AM (#19877593)
    Not that this security hole has much at all to do with it, but I strongly believe in positive thinking.

    Maybe if we all chant, they will hear us.

    Adobe will open-source flash.
    Yes.
    Adobe will open-source flash.
    Yes.
    Adobe will open-source flash.
    Yes.
    Adobe will open-source flash.
    Yes.
    Adobe will open-source flash.
    Yes.
    Adobe will open-source flash.
    Yes.
    Adobe will open-source flash.
    Yes.
    Adobe will open-source flash.
    Yes.

  • Is the ActiveX affected? (Score:3, Insightful)

    by smooth wombat (796938) on Monday July 16 2007, @11:46AM (#19877655) Homepage Journal
    We don't allow people to install Flash on their systems here at work but we do provide the ActiveX component to run Flash. Is it affected as well? The article doesn't say.

    Personally, I don't run Flash. Time and again it has been shown to be a security risk and these new developments only strengthen that perception.

  • AMD64 (Score:4, Funny)

    by Sunshinerat (1114191) on Monday July 16 2007, @11:54AM (#19877795)

    Does Anybody know if the 64 bit Linux version is also affected?

    Oh wait...


    MvE

  • I've been using flashblock [mozdev.org] since the very first time (almost 8 years ago) flash scared the shit out of me with unexpected and LOUD sounds from an ad.

    Nowadays I'm surprised how many tracking gadgets are embedded on otherwise ordinary looking pages and I'm sure to clean out my macromedia shared object folder form time to time...

    The nice thing about flashblock is the ease with which I can play flash games and watch youtube videos -- when I'm in the mood to click through. Personally, I think something lik

  • Misleading headline (Score:3, Insightful)

    by mad.frog (525085) <steven&crinklink,com> on Monday July 16 2007, @12:54PM (#19878705)
    More accurate would be "Adobe Issues Fixes For Flash Exploit That Could Log Keystrokes"...

    Headline implies that exploits were just found and still exist. Not so.

    • Re:Can't trust 'em (Score:5, Informative)

      by also-rr (980579) on Monday July 16 2007, @11:05AM (#19877173) Homepage
      If you don't trust adobe you could always install the open source Flash plugin swfdec [sf.net]. It's come on a lot recently and now plays most things. Hopefully the heavy pace of development will continue - I'm seeing about 5 commits per day adding new stuff on the mailing list.
      • Thanks for linking to the project webpage which redirects to a wiki. Next time link to the sf.net project page [sourceforge.net] and let us choose to go to the homepage ourselves rather than fight with sf.net.

      • Re: (Score:2, Interesting)

        by Touvan (868256)
        This is very interesting. Like the Java clones before it, this project (swfdec), and gnash show how popular closed source projects have their own way of encouraging something similar to the dreaded "forking" that corporations fear so much. What's interesting about Java is that opening the source seems to have reversed that trend, and we now see some attempts to unify the many Java code bases.

        I wonder if Adobe will figure that out, and open up Flash Player some more.
    • I believe the buttons on the Wiimote map to a few keys (for use in Flash games) and the pointer just picks up as a mouse. That's about it.

      • Re: (Score:3, Insightful)

        by AKAImBatman (238306) *

        I believe the buttons on the Wiimote map to a few keys (for use in Flash games)

        Actually, the keypresses only make it as far as Javascript. In order to "hear" the presses in Flash, you need to use the WiiCade API [wiicade.com], which traps all the keypresses and forwards them to Flash. There's also the earlier Quasimondo API [quasimondo.com], but it fails to trap the keypresses, making it useless under most circumstances.

    • Shockwave was Macromedia's original online animation plugin. It is extremely feature-rich and quite fast at what it does. It's also quite large. So when a company called FutureWave created a much smaller vector-graphics competitor, Macromedia bought them out and renamed it "Shockwave Flash" to give the impression that Flash was a subset of their Shockwave technologies. (You'll notice that the Flash movie extension is "SWF". "ShockWave Flash")

      In reality, it was all just marketing BS. Flash had enough features to make animation authors (and later game developers) happy, so it quickly replaced the more heavyweight Shockwave. After the acquisition of Macromedia by Adobe, they stopped trying to maintain the charade and simply called it "Adobe Flash". There are still a few vestigial pieces of the software that refer to "Shockwave Flash", but they're slowly disappearing as time goes on.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.