The flaw allows malicious code to be executed on a user’s computer that runs the Flash software used by 98% of web users. The exploit was found by security firm eEye, which discovered and named the Code Red virus last year.
The vulnerability in Flash Version 6, revision 23 was confirmed by eEye and said this would ‘include most installations on Windows’. The flaw is attributed to a buffer overflow linked to an ActiveX control called Flash.ocx. Marc Maiffret, chief hacking officer at eEye said the attack could be performed via some HTML email clients or by visiting malicious websites.
Other versions of Flash could be affected and while the company acknowledged it had not tested them, it said that people who have a previous version of Flash that is not affected may be obliged to ‘upgrade’ to the defective version because the Flash.ocx file is signed by Macromedia.
Richard Barber of security consultants Integralis said such an attack was certainly feasible and could be used to affect multiple users.
‘It lends itself not only to manual attacks but large scale automated attacks which are very popular among hackers,’ said Barber. ‘This allows people to deploy zombie agents and other things that they want to do.’
He said the point of automated attacks was the hacker has a large population to attack and only expects a certain measure of success. The hacker then just sits there until an attack has been flagged before delivering their dangerous payload. ‘It is very nice and easy for the hacker to do and allows them to cover their tracks easily,’ he said.
Wayne Charlton, founder of music news website rnr-revolution.org believed that this was another good reason for corporate websites to ditch animation websites in favour of something with more substance.
‘It takes a long time for an awful gimmicky animation to download and that’s really annoying. But to find that your computer has been hacked afterwards is too much to bear,’ said Charlton. ‘Web users want real information not dancing monkeys on sticks.’
The company advised users wanting to download the latest version of Flash to go HERE.
Barclays has partnered with accounting software company Xero to provide businesses with access to transaction data through its direct feed.
Government's estimate of a £400m admin saving from Making Tax Digital is way off - and is instead a huge cost burden, warns Lamont Pridmore chief executive Graham Lamont
Xero unveiled its expanded global partner programme at Xerocon South, the accounting technology conference in Australasia
Accountancy software firm Sage has been hit by a data breach which may have compromised the personal details and bank account details of as many as 300 UK businesses