Jump to content

Flash Player Bug Allows Video, Audio Recording Without User Consent


Karamjit

Recommended Posts

A vulnerability in some versions of Adobe Flash Player could be exploited by ill-intended actors to spy on user activity via built-in webcam and microphone, without generating a notification that the components are accessed.

The configuration panel of Flash Player allows defining a list of websites that can access the camera and microphone available on the computer; alternatively, users can enable the option to be asked for permission when a website tries to use video and audio components on the computer.
LED warns of webcam activity

Reported by researcher Jouko Pynnönen of Klikki Oy, the issue (CVE-2015-3044) is an information disclosure that could be leveraged on systems with versions of Flash prior to 17.0.0.169 to deliver audio and/or video streams captured from the victim’s device to a remote location controlled by an attacker.

To achieve this, the victim has to visit a malicious website, and there is no on-screen notification about the camera and microphone being accessed, regardless of the setting in Flash’s configuration panel.

“This is a cross-platform logical bug so the same exploit works on any operating system supported by Flash,” the researcher says, adding that a potential variant of the vulnerability is currently investigated.

He demonstrated the successful exploitation of the flaw in a video (available below). The footage shows the captured stream to the user, but in a real-world attack this would not be visible to the victim, Pynnönen said via email.

The only clue to suspicious activity is the webcam’s LED lighting up. However, not all systems have a LED indicating webcam activity, or the attacker may choose, as a precaution, to capture only the audio stream, which would make the spying activity completely invisible.
Arbitrary code execution possibility

Pynnönen says that this bug may also be used to trigger another vulnerability, CVE-2015-0346, a double-free bug that could lead to executing arbitrary code on the affected system.

The flaw resides in the Flash Player Settings Manager, a standalone program that can be accessed by Flash applications embedded in websites.

This week Adobe released an update that addressed a large number of security flaws, with both CVE-2015-3044 and CVE-2015-0346 among them.

The patches are applied automatically in Google Chrome via the built-in automatic update mechanism. The same occurs in the case of Internet Explorer (on Windows 8 and above) and of the desktop runtime version if the auto-update feature is enabled.

Source: http://news.softpedia.com/news/Flash-Player-Bug-Allows-Video-Audio-Recording-Without-User-Consent-478664.shtml

Link to comment
Share on other sites


  • Replies 7
  • Views 1.2k
  • Created
  • Last Reply

Cool! Now you don't need to download trojans to do the same. Now you can trust your favorite softwares to do it for you. lol

Link to comment
Share on other sites


knowledge-Spammer

u can block built-in webcam with softwere so noone can exploit

Link to comment
Share on other sites


Marcus Thunder

u can block built-in webcam with softwere so noone can exploit

What is that software that block webcams from exploitation?

Link to comment
Share on other sites


knowledge-Spammer

u can block built-in webcam with softwere so noone can exploit

What is that software that block webcams from exploitation?

i think hitman pro alert 2.6.5.77

and Kaspersky Internet Security do it to i think

or u can try somethink like this f4bUliI.png?1

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...