updated 11:10 am EDT, Wed May 28, 2008
Widespread Flash exploit
Hundreds of thousands of webpages have been affected by a vulnerability in Adobe's Flash Player, says security vendor Symantec. Since at least Monday, approximately 220,000 pages have been been hacked to add redirection scripts, which send Flash users to some 57 servers that attempt to deliver malware, including botnet code and apps that steal World of WarCraft identities and passwords. Only Flash Player versions 126.96.36.199 and 188.8.131.52 appear to be at risk; the attack also seems to be directed primarily at Windows, says Symantec, although problems may yet arise on other operating systems (including Mac OS X) unless Adobe can close the exploit.
Sites victimized by the redirection scripts are generally said to be those belonging to small towns, businesses and non-profit organizations, which may have been chosen through a tool that uses Google to trawl for pages with security holes. If an attack fails, Symantec notes that it may still crash a user's browser.
Adobe has yet to confirm or deny the security issue. "We are working with Symantec to investigate the potential SWF vulnerability," an official statement reads, "and will have an update once we get more information."