Major Security Hole In Your Computer - and you probably don't know it

[dc dalton]

My partner and our sys admin stumbled upon a MAJOR security hole for Windows users that have the Macromedia Flash player installed (most do, it's what makes sites like youtube work)

It seem Flash drops a cookie onto your system that is NOT deleted when you clear your cookies normally and the dangerous part is these cookies work across different browsers.

Now for those of you that don't know a cookie is a little bit of information saved in a tiny file on your system (like when you click 'save my log in info or things like that) but the nice thing about cookies is they are only good for the browser you are using when the cookie is set. In other words if you use Internet Explorer for browsing and Firefox for your online banking Internet Explorer can NOT see the cookies from Firefox .... not so with these Flash cookies.

The way they found it was an online Flash survey. He did it in FF and then tried to do it in Internet Explorer and it told him he already voted ... the sysadmin was really confused because that's NOT supposed to be able to happen (unless they are tracking IP addresses) so they started digging when they found these.

They are stored in:

C:\Documents and Settings\[your account name]\Application Data\Flash Player\#Shared Objects\[some goofy number]

All of the folders in there are Flash cookies and trust me when I say this is a DANGEROUS ideal Adobe had

Sure enough once they deleted the contents of that folder he could vote in the survey in Internet Explorer. From what we can tell even Opera, Chrome and Safari are able to read from this folder.

The problem hasn't been exploited yet that we know of and they sent a scathing email to Adobe about it ... this is a security hole just waiting for a hacker to find and dig into your personal info!

So do yourself a favor and empty out that folder regularly ... esp if you do any online banking or anything like that.

[Farbmeister]

Evidently your sys admin friend is not a very good one.

Any app can read/write files on your windows box. Windows ACLs really don't mean anything because most PCs are single user, or all users are in the admin group.

So why, after you INSTALL Flash on your PC (that then links into your browser) are you excited that it has access to your file system?

Would your buddy be surprised if a virus he INSTALLED has access to the file system?

I will agree that most hacks into a computer are by a 3rd party app (ie flash). Most hacker competitions for prizes usually always hit flash or the browser.

[dc dalton]

So why, after you INSTALL Flash on your PC (that then links into your browser) are you excited that it has access to your file system?

NOT SO! You install the Flash plugins for IE and FF separately, you do NOT just install Flash and it links to your browsers. I know, I redo machines all the time. So if you have two different plugins used for two different browsers communicating between them you have a problem ... period

[billamj]

Ummmm, I installed Flash once, for IE, and it works fine for FF without the separate install. You just need to point FF to the install of Flash.

[dc dalton]

Ummmm, I installed Flash once, for IE, and it works fine for FF without the separate install. You just need to point FF to the install of Flash.

In the new version (I think since 8.0) you get two different installs, IE install through the browser, FF you have to download an exe and install it.

[d90king]

Buy a Mac and you can forget about all these garbage cookies, patches etc......

Hope you are feeling better after your weekend DC.

[dc dalton]

Buy a Mac and you can forget about all these garbage cookies, patches etc......

Hope you are feeling better after your weekend DC.

Yeah still a bit sore but the stitches and staples come out Friday .. besides feeling pissed off at myself I am feeling better.

And sorry I can't do the MAC thing, when I taught they tried to stick me with one and I refused BUT I am looking at the new Open Suse as an OS

[ungawa]

Buy a Mac and you can forget about all these garbage cookies, patches, a job etc......

Fixed!
.

[d90king]

Fixed!
.

As SoberBiker says "thats funny I don't care who you are......."

The real irony is that Jobs stepped down today due to his health.

[ungawa]

The real irony is that Jobs stepped down today due to his health.

In tech business that's what we call a "Lagging Indicator"