I've just read it and reported. It seems that Symantec found a bug on the Adobe Flash Player ( include 9.0.124 .0and 9.0.115.0) and it says web sites hosting Adobe Flash Player content can be compromised by an exploit in the newest version of Flash. Embedded JavaScript can redirect users to a Chinese malware server :
(From CNET News)Symantec says that under certain conditions embedded JavaScript within the player will redirect users to dota11.cn. In an alert on Tuesday, Symantec said specific details about the vulnerability exploited were unknown, and initial testing of the in-the-wild exploit showed it to be unreliable. Nonetheless, Symantec said it had identified at least one commercial site, www.bridgettwalther.com, which is a horoscope Web site, but that the embedded malicious code has since been removed.
Read more on securityfocus.com (Adobe Flash Player SWF File Unspecified Remote Code Execution Vulnerability)
That doesn't make any sense to me...
There is no javascript embedded in the player as far as I know. Any Flex application can include javascript, and inject it into the host webpage. This isn't a "vulnerability" though, it's a feature.
Posted by: Tony Fendall | May 28, 2008 at 12:49 AM
Ha! I just found vulnerability in every browser: self.location() may redirect users to Chinese malware server! ;)
Posted by: r | May 28, 2008 at 03:50 AM
Yeah right. And symantec still uses Flash on their site, http://www.symantec.com/index.jsp
Posted by: William from Lagos | May 28, 2008 at 04:02 PM
Hi guys. This time it's real or Adobe wouldn't urge everybody to update:
http://blogs.adobe.com/psirt/2008/05/potential_flash_player_issue_u_1.html
J
Posted by: Jensa | May 28, 2008 at 09:46 PM