Flash flaw turns PCs into zombies

Corporate websites using Flash animation could allow hackers to control users' computers, according to a security expert.

The flaw allows malicious code to be executed on a user's PC that runs the Flash software used by 98 per cent of web users. The exploit was found by security firm eEye, which discovered and named the Code Red virus last year.

The vulnerability in Flash Version 6, revision 23 was confirmed by eEye, which said that it would "include most installations on Windows".

The flaw is attributed to a buffer overflow linked to an ActiveX control called Flash.ocx.

Marc Maiffret, chief hacking officer at eEye, explained that the attack could be performed via some HTML email clients or by visiting malicious websites.

Other versions of Flash could be affected and, while the company acknowledged that it had not tested them, it said that people using a previous version of Flash which is not affected may be obliged to 'upgrade' to the defective version because the Flash.ocx file is signed by Macromedia.

Richard Barber, of security consultants Integralis, suggested that such an attack was certainly feasible and could be used to affect multiple users.

"It lends itself not only to manual attacks but large scale automated attacks which are very popular among hackers," he said. "This allows people to deploy zombie agents and other things that they want to do."

Barber added that the point of automated attacks was that the hacker has a large population to attack and only expects a certain measure of success.

The hacker then just sits there until an attack has been flagged before delivering the dangerous payload. "It's nice and easy for the hackers and allows them to cover their tracks easily," he said.

Wayne Charlton, founder of music news website rnr-revolution.org, believed that this was another good reason for corporate websites to ditch animation in favour of something with more substance.

"It takes a long time for an awful, gimmicky animation to download and that's really annoying. But to find that your computer has been hacked afterwards is too much to bear," he complained.

"Web users want real information not dancing monkeys on sticks."

The latest version of Flash can be downloaded here.