Flash vulnerability allows Mac browser data theft

FlashIconXAdobe has issued an update to its popular Flash Web plugin, which fixes a recently-found security hole that may allow an attacker to steal browser data. The hole, found by a Google engineer, is exploited when a specially-crafted SWF file containing alphanumeric characters is executed, and then exploits how Flash handles privileges for objects on the page, allowing the file to attempt accessing information from another domain on the behalf of the user, and then capturing the returned data.

The versions of Flash that are affected are and earlier, but while you can check your installed versions, the best route is to simply go to Adobe’s Web site and install the latest version of Flash. Automatic update notifications for Flash should also be popping up for those who have older versions of Flash installed.

While the vulnerability can be overcome with a Flash update, it can also be tackled by Web administrators. The Google engineer who helped identify the vulnerability has a blog posting that outlines the attack scenario and how it can be addressed.