According to a Wednesday report in the daily newspaper Die Tageszeitung, security researchers from the Fraunhofer Institute for Secure Information Technology in Darmstadt have shown that malevolent hackers can remotely turn almost any computer into a formidable surveillance device.
Flash is a popular program that can be downloaded free and allows computer users to watch video and animations via web pages. It is often automatically installed as an add-on program with any internet browser.
But security researchers from the Fraunhofer Institute developed a method by which the microphone and built-in camera on a computer can be switched on remotely, allowing an attacker to use the microphone as a bug and to operate the camera.
The researchers outlined their discovery in a recent presentation to the Chaos Computer Club, a Germany-based hackers' organisation.
They described the method as a “man-in-the-middle” attack – the attacker places himself effectively between the computer's user and the Flash software. That means the user must actually help the intruder by accepting a false encoding certificate.
Along with potential security holes, Flash can also be used by companies to track computer users. So-called Flash cookies, small packets of data, land on the hard drive and save the user's activities. Because Flash cookies are barely noticed by the computer owner, they are almost never deleted.
Adobe plugged 32 security holes when it issued its last updates, according the newspaper report. But just two months later a further update needed to be issued when another serious problem arose: “This hole … allowed an attacker to potentially take over the system,” the firm announced.