Wednesday, May 28, 2008

Do the exploits for the recent Adobe Flash 0-day affect Linux?

Hell no. But a lot of sites suggest so by naming it an vulnerability in Flash Player and talking about exploits for both IE and Firefox. This suggests the vulnerability gets exploited *inside* the browser, affecting all common platforms, no?

No. Research shows that Linux is no more vulnerable for this specific than it was for the Storm worm. The exploits currently in the wild specifically target Windows. .exe files usually do, and that is what this exploit is made out of: .exe files.

The fact that downloaded .exe can be executed without any alterations in the file (setting and execute bit, for example) makes exploiting this vulnerability a lot easier on Windows.

Nevertheless, know that though the *exploits* do not work on Windows, the hole in Flash probably *does* exist on all platforms. The version on my Ubuntu box is one of the flawed ones mentioned on the SANS pages. So it might be possible to exploit the hole on Linux. It just won't be that easy and honestly, not as rewarding either. There's a lot less of us, and there's even less of us that are going to be so helpful as to chmod +x the exploit files ;-)

Edit: I am not a Flash developer, Mozilla developer or anything like that. The above is not a guarantee your Linux box won't be hacked through any of these exploits and vulnerabilities: I have been known to be wrong, on rare occasions.

No comments: