Glitch can be used to trigger flaw leading to code execution

Apr 17, 2015 09:13 GMT  ·  By

A vulnerability in some versions of Adobe Flash Player could be exploited by ill-intended actors to spy on user activity via built-in webcam and microphone, without generating a notification that the components are accessed.

The configuration panel of Flash Player allows defining a list of websites that can access the camera and microphone available on the computer; alternatively, users can enable the option to be asked for permission when a website tries to use video and audio components on the computer.

LED warns of webcam activity

Reported by researcher Jouko Pynnönen of Klikki Oy, the issue (CVE-2015-3044) is an information disclosure that could be leveraged on systems with versions of Flash prior to 17.0.0.169 to deliver audio and/or video streams captured from the victim’s device to a remote location controlled by an attacker.

To achieve this, the victim has to visit a malicious website, and there is no on-screen notification about the camera and microphone being accessed, regardless of the setting in Flash’s configuration panel.

“This is a cross-platform logical bug so the same exploit works on any operating system supported by Flash,” the researcher says, adding that a potential variant of the vulnerability is currently investigated.

He demonstrated the successful exploitation of the flaw in a video (available below). The footage shows the captured stream to the user, but in a real-world attack this would not be visible to the victim, Pynnönen said via email.

The only clue to suspicious activity is the webcam’s LED lighting up. However, not all systems have a LED indicating webcam activity, or the attacker may choose, as a precaution, to capture only the audio stream, which would make the spying activity completely invisible.

Arbitrary code execution possibility

Pynnönen says that this bug may also be used to trigger another vulnerability, CVE-2015-0346, a double-free bug that could lead to executing arbitrary code on the affected system.

The flaw resides in the Flash Player Settings Manager, a standalone program that can be accessed by Flash applications embedded in websites.

This week Adobe released an update that addressed a large number of security flaws, with both CVE-2015-3044 and CVE-2015-0346 among them.

The patches are applied automatically in Google Chrome via the built-in automatic update mechanism. The same occurs in the case of Internet Explorer (on Windows 8 and above) and of the desktop runtime version if the auto-update feature is enabled.

Researcher demonstrates website access to system camera and microphone, with no notification triggered: