Adobe Fixes Spying Bug

Wednesday, October 26, 2011 @ 08:10 AM gHale


Adobe fixed the problem pointed out by a Stanford University student who found any website administrator can easily spy on his customers using a bug in the Flash Settings Manager.

Adobe blamed the communication error between them and Feross Aboukhadijeh, the one who discovered the issue, on the fact the student sent his findings to an employee that was off duty at the time, said officials at V3.

RELATED STORIES
Flash Hole Allows for Spycam
Mac Malware Disables Protection
ICS Threat Brewing; Target Unclear
Old Becomes New: DLL Loading is Back

They mention the information should have gone to the incident response team instead.

“The email with the report was sent to an Adobe employee who has been on sabbatical. The issue was not reported to the Adobe Product Security Incident Response Team (PSIRT), which is the contact for all vulnerability reports,” said a V3 spokesman.

Because the actual update process needs to go through servers, users don’t have to apply any patches or updates manually.

This all started when Feross Aboukhadijeh found an older issue that allowed any webmaster to spy on his sites’ visitors ended up only partially fixed.

The initial problem allowed someone to take over our webcams and microphones by placing the Adobe Flash Setting Manager inside an iframe, that when clicked, could enable the devices.

By adding only the settings SWF file to an iframe, he was able to bypass the framebusting JavaScript code that was supposed to patch the hole.



Leave a Reply

You must be logged in to post a comment.