Attackers could exploit a vulnerability in some versions of Adobe Flash Player to spy on users via built-in webcam and microphone, without generating a notification the components are in use.
The configuration panel of Flash Player allows defining a list of websites that can access the camera and microphone available on the computer; alternatively, users can enable the option to end up asked for permission when a website tries to use video and audio components on the computer.
The issue (CVE-2015-3044), discovered by researcher Jouko Pynnönen of Klikki Oy, is an information disclosure that could end up leveraged on systems with versions of Flash prior to 126.96.36.199 to deliver audio and/or video streams captured from the victim’s device to a remote location controlled by an attacker.
To achieve this, the victim has to visit a malicious website, and there is no on-screen notification about gaining access to the camera and microphone, regardless of the setting in Flash’s configuration panel.
“This is a cross-platform logical bug so the same exploit works on any operating system supported by Flash,” the researcher said in a blog post.
He showed the a successful exploitation of the flaw in a video on his blog. The footage showed the captured stream to the user, but in a real-world attack this would not be visible to the victim.
The only clue to suspicious activity is the webcam’s LED lighting up. However, not all systems have a LED indicating webcam activity, or the attacker may choose, as a precaution, to capture only the audio stream, which would make the spying activity completely invisible.
This bug may also trigger another vulnerability, CVE-2015-0346, a double-free bug that could lead to executing arbitrary code on the affected system, Pynnönen said.
The flaw resides in the Flash Player Settings Manager, a standalone program that can end up accessed by Flash applications embedded in websites.
Adobe released an update last week that addresses CVE-2015-3044 and CVE-2015-0346.
The patches are automatic in Google Chrome via the built-in automatic update mechanism. The same occurs in the case of Internet Explorer (on Windows 8 and above) and of the desktop runtime version if the user enabled the auto-update feature.