Flash Bug Allows Secret Video, Audio

Monday, April 20, 2015 @ 02:04 PM gHale


Attackers could exploit a vulnerability in some versions of Adobe Flash Player to spy on users via built-in webcam and microphone, without generating a notification the components are in use.

The configuration panel of Flash Player allows defining a list of websites that can access the camera and microphone available on the computer; alternatively, users can enable the option to end up asked for permission when a website tries to use video and audio components on the computer.

RELATED STORIES
Adobe Updates Flash Player Vulnerabilities
Oracle Patches 98 Flaws
Patch Tuesday Closes Zero Days
Chrome 42 Releases; 45 Flaws Fixed

The issue (CVE-2015-3044), discovered by researcher Jouko Pynnönen of Klikki Oy, is an information disclosure that could end up leveraged on systems with versions of Flash prior to 17.0.0.169 to deliver audio and/or video streams captured from the victim’s device to a remote location controlled by an attacker.

To achieve this, the victim has to visit a malicious website, and there is no on-screen notification about gaining access to the camera and microphone, regardless of the setting in Flash’s configuration panel.

“This is a cross-platform logical bug so the same exploit works on any operating system supported by Flash,” the researcher said in a blog post.

He showed the a successful exploitation of the flaw in a video on his blog. The footage showed the captured stream to the user, but in a real-world attack this would not be visible to the victim.

The only clue to suspicious activity is the webcam’s LED lighting up. However, not all systems have a LED indicating webcam activity, or the attacker may choose, as a precaution, to capture only the audio stream, which would make the spying activity completely invisible.

This bug may also trigger another vulnerability, CVE-2015-0346, a double-free bug that could lead to executing arbitrary code on the affected system, Pynnönen said.

The flaw resides in the Flash Player Settings Manager, a standalone program that can end up accessed by Flash applications embedded in websites.

Adobe released an update last week that addresses CVE-2015-3044 and CVE-2015-0346.

The patches are automatic in Google Chrome via the built-in automatic update mechanism. The same occurs in the case of Internet Explorer (on Windows 8 and above) and of the desktop runtime version if the user enabled the auto-update feature.



Leave a Reply

You must be logged in to post a comment.