There is a gaping security hole in Flash, that according to ComputerWorld’s Gregg Keizer “can exploit a flaw… to compromise nearly every Web site that allows users to upload content, including Google’s Gmail, then launch silent attacks on visitors to those sites.”
Not good. But it gets worse.
Adobe has acknowledged the problem, and has promised nothing. No patch, no quick fix, nothing but a thumb of the nose. Adobe has made it plain that websites and their creators are responsible for their security.
That sounds like GM saying drivers are responsible for exploding gas tanks. This is a big, bad problem. Expect to see backlash to Adobe, and some fix in the pipeline. If not, a large swath of the internet is now very, very insecure.
Mike Murray of Foreground Security said it well: “Any site that allows user-uploadable content is vulnerable, and most are not configured to prevent this.”
H/T @MichaelKlurfeld for the tip.