Business websites using Flash put users at risk
Corporate web sites that use Flash animation could allow hackers to control user's computers, according to a security expert.
The flaw allows malicious code to be executed on a user’s computer that runs the Flash software used by 98% of web users. The exploit was found by security firm eEye, which discovered and named the Code Red virus last year.
The vulnerability in Flash Version 6, revision 23 was confirmed by eEye and said this would ‘include most installations on Windows’. The flaw is attributed to a buffer overflow linked to an ActiveX control called Flash.ocx. Marc Maiffret, chief hacking officer at eEye said the attack could be performed via some HTML email clients or by visiting malicious websites.
Other versions of Flash could be affected and while the company acknowledged it had not tested them, it said that people who have a previous version of Flash that is not affected may be obliged to ‘upgrade’ to the defective version because the Flash.ocx file is signed by Macromedia.
Richard Barber of security consultants Integralis said such an attack was certainly feasible and could be used to affect multiple users.
‘It lends itself not only to manual attacks but large scale automated attacks which are very popular among hackers,’ said Barber. ‘This allows people to deploy zombie agents and other things that they want to do.’
He said the point of automated attacks was the hacker has a large population to attack and only expects a certain measure of success. The hacker then just sits there until an attack has been flagged before delivering their dangerous payload. ‘It is very nice and easy for the hacker to do and allows them to cover their tracks easily,’ he said.
Wayne Charlton, founder of music news website rnr-revolution.org believed that this was another good reason for corporate websites to ditch animation websites in favour of something with more substance.
‘It takes a long time for an awful gimmicky animation to download and that’s really annoying. But to find that your computer has been hacked afterwards is too much to bear,’ said Charlton. ‘Web users want real information not dancing monkeys on sticks.’
The company advised users wanting to download the latest version of Flash to go HERE.