RTFA: http://blogs.msdn.com/larryosterman/archive/2008/0…

Robert Hensing linked to a post by Thomas Ptacek over on the Matasano Chargen blog. Thomas (who is both a good hacker AND a good writer) has a writeup of a “game-over” vulnerability that was just published by Mark Dowd over at IBM’s ISS X-Force that affects Flash. For those that don’t speak hacker-speak, in this case, a “game-over” vulnerability is one that can be easily weaponized (his techniques appear to be reliable and can be combined to run an arbitrary payload). As an added bonus, because it’s a vulnerability in Flash, it allows the attacker to write a cross-browser, cross-platform exploit - this puppy works just fine in both IE and Firefox (and potentially in Safari and Opera).
This vulnerability doesn’t affect Windows directly, but it DOES show how a determined attacker can take what was previously thought to be an unexploitable failure (a null pointer dereference) and turn it into something that can be used to 0wn the machine.
Every one of the “except not quite” issues that Thomas writes about in the article represented a stumbling block that the attacker (who had no access to the source to Flash) had to overcome - there are about 4 of them, but the attacker managed to overcome all of them.
This is seriously scary stuff. People who have flash installed should run, not walk over to Adobe to pick up the update.

Seems there’s been a lot of discussion about this the last few days… and it’s not clear to me that a single SWF could be made to target multiple operating systems at a time… but it does look like a Windows target can be pwned through IE or Firefox, irrespective of the flash build.

RTFA: http://www.eff.org/deeplinks/2008/02/adobe-pushes-…

The immense popularity of sites like YouTube has unexpectedly turned Flash Video (FLV) into one of the de facto standards for Internet video. The proliferation of sites using FLV has been a boon for remix culture, as creators made their own versions of posted videos. And thus far there has been no widespread DRM standard for Flash or Flash Video formats; indeed, most sites that use these formats simply serve standalone, unencrypted files via ordinary web servers.

I can’t say I’m surprised… but that’s just because I have no faith in the DRM world.

RTFA: http://arstechnica.com/news.ars/post/20071231-adob…

It all began with a post at UNEASYsilence titled “Lies, Lies and Adobe Spies” which caught on to the fact that Adobe CS3 apps were calling out to a suspiciously-crafted IP address. As it turns out, the IP in question-192.168.112.2O7.net note the capital O instead of a zero-is not an IP at all, but rather a domain owned by statistics-tracking firm Omniture.

wow, this is a pretty clever & shady trick.