Every time these stories come out, I become just slightly more smug that I deleted Flash about a year ago.
Weaponised Flash flaw can pinch just about anything from anywhere
Get cracking with the latest Flash upgrade, because the vulnerability it patches is a peach, allowing a cross-site request forgery (CSRF) attack for stealing user credentials. According to the Switzerland-based Google engineer that turned up the vulnerability, Michele Spagnuolo, sites that are/were vulnerable to the attack …
COMMENTS
-
Wednesday 9th July 2014 06:34 GMT Michael Habel
Them 'Lumpa's sure aren't playing 'round....
According to the Switzerland-based Google engineer that turned up the vulnerability, Michele Spagnuolo, sites that are/were vulnerable to the attack included various Google domains, YouTube, Twitter, Instagram, Tumblr and eBay.
I was not aware that the Ompa-Lumpa's had recently snapped up Twitter, Instagram and Tumblr much less Fleebay.... Does this bode well that Google might consider using PayPal someday?!
-
Wednesday 9th July 2014 07:17 GMT Anonymous Coward
WTF?
".....a tool for converting any SWF file to one composed of only alphanumeric characters in order to abuse JSONP endpoints, making a victim perform arbitrary requests to the domain with the vulnerable endpoint and exfiltrate potentially sensitive data, not limited to JSONP responses, to an attacker-controlled site...."
I'll just pass that info on to my mum and dad so they are aware.
-
Wednesday 9th July 2014 07:38 GMT Anonymous Coward
Just me?
Anyone sick of trying to explain to users why flash, java, browsers etc pose security risks so should be updated as critical patches come along?
"But we only updated that last week!", "I'm too busy"
FFS, yes we did, and we'll be doing the same next week, month, year until what users have to steal is worth less than the effort of finding the holes, I'm sorry.
-
Wednesday 9th July 2014 08:27 GMT Nick Ryan
I'm actually rather thankful that Apple kick started the (not fast enough) demise of Flash on the web...
It's still occasionally a PITA where some sites still insist on using it (looking at you, BBC) but I am surviving quite well these days without it installed on my home PC. Now if I could just do the same with .PDF files which really shouldn't need entire embedded executable environments inside a document...