Adobe plays down Flash security slurs

Adobe Flash symbol

A security researcher has posted details of a way of attacking how a browser handles Adobe Flash, which he has described as frightening'.

Mike Bailey, senior researcher for Foreground Security, said in a statement that the issue allowed an attacker to take over nearly any computer visiting a website that allowed file uploads.

He said that the vulnerability exploited the same origin' policy of Adobe Flash, and that nearly any site that allowed user-generated content could be attacked.

"Whether you use Flash or not, you may still be vulnerable because this issue affects users directly and not the servers themselves," Bailey said.

He added: "Websites that are at risk of being vulnerable include social media sites, major career portals, and Fortune 1000 and government agency websites. Basically, if you have a website, you could be vulnerable."

Bailey said he reported the vulnerability to both Adobe and Google, as he believed that Google Apps and Gmail could be affected by the issue.

In response, Adobe senior security researcher Peleus Uhley said in a blog post that the vulnerability Bailey described was not news, that it had been understood and discussed by the security community for years, and wasn't actually a Flash vulnerability.

"Web servers that choose to accept user-uploaded content also choose to accept the risks that go along with that functionality," he said.

"Flash Player's behaviour is consistent with other technologies and the web browser security model. Several web technologies pose the same risk to servers that allow end-user uploads."