Researchers have identified a vulnerability in some Adobe Flash Player versions that can be exploited by attackers for spying on users having built-in webcams on their computers — The spying remains completely discreet.
Flash player’s configuration panel allows creation of a list of sites that can access the device’s built-in microphone and webcam. Alternately, users can manually enable the option to be asked for permission before a site tries to access the computer’s audio and video components.
Jouko Pynnönen, Klikki Oy researcher, reported that the issue (CVE-2015-3044) discloses information that can be leveraged in systems using earlier versions of Flash Player. This vulnerability has been identified in versions that appeared before 18.104.22.168.
The audio/video streams can be captured from the device and transferred to a remotely controlled location. This is achieved by encouraging the victim to visit a compromised website. No on-screen notification is sent to the user that the webcam and mic are being accessed.
According to the researcher, “this is a cross-platform logical bug so the same exploit works on any operating system supported by Flash.”
He further added that the firm is currently investigating a potential variant of the vulnerability.
In a video footage the researcher successfully displayed how the flaw can be exploited. The video shows the user’s captured stream however, as per the researcher this would not be visible to the victim in a real attack.
The webcam’s LED light turning up will be the only clue that can hint at the ongoing spying. But, not all the systems come with an LED indication technology. Moreover, the attacker may be cautious enough to select capturing of audio stream only. This would make spying fully undetectable.
Pynnönen states that the bug can be used to trigger a new vulnerability, CVE-2015-0346.
This double-free bug thus, may encourage execution of arbitrary code on the attacked system.
Flash Player Settings Manager is responsible for the defect. It is a standalone program, which Flash applications embedded in websites can access.
Adobe has released an update this week that addresses most of the security flaws including CVE-2015-3044 and CVE-2015-0346.
Google Chrome automatically applies the patches through its built-in automatic update mechanism. Internet Explorer on Windows 8 and above also performs the same function.
Watch the video below to see how it is done: