Tech Shout!

After incorporating the Macromedia Flash Player into its technology folder, on Tuesday, Adobe issued a ‘critical’ warning, recommending all Flash Player users to apply an update to avert a probable denial of service attack.

The exploit affects what’s known as Flash remoting - essentially the provision of server-based application services via Flash, as opposed to via HTML, Active Server Pages or some other wrapper. Though an exploit itself has not yet been found, Adobe engineers found that a certain form of Flash remoting command sent to ColdFusion servers (another acquired Macromedia technology) triggers an infinite loop process that will not stop itself.

In that state, without the server being able to return to its control program, an attacker could possibly launch a malicious incursion.

The technical portion of Adobe’s bulletin on Tuesday agreed that certain ColdFusion Markup Language (CFML) templates running outside the sandbox — the protected area for user-level applications — can place remote procedure calls to ColdFusion components running within a sandbox. If that call was one-way, and not planned to churn out a result, then conceivably, the ColdFusion sandbox might be safe, or “un-littered.”

It seems that, that’s not what is occurring, although the bulletin did not give further details.

For an attacker to exploit this flaw, Adobe says, a malicious Flash SWF component could need to be loaded into the Flash Player via the Web browser. Such a component may not yet exist, but every time one of these bulletins is issued, as Alan B. Shepard would say, the clock is started.