Fortinet said Flash files can also be embedded in various document formats including Microsoft Office documents and even PDF files.
"Even if you have disabled Flash in your browsers, Flash exploits can still leverage Flash player vulnerabilities through software like Microsoft Office and Adobe Reader," Fortinet's Bing Liu said in a blog post.
As proof of concept, Liu crafted a PowerPoint file that would cause the caculator program to pop up when loaded in apps with a vulnerable Flash plugin.
The Flash exploit "works well inside a PPT and PDF document until I uninstall the Flash player on my computer," Liu said.
Such a situation "is just one simple example of ways in which Flash can be exploited outside of a web browser," Liu added.
"What all this means, unfortunately, is that disabling the Flash plugin in your browsers isn't a complete solution to Flash security. Flash is a technology that can be embedded in many places and requires vigilance on the part of users as well as smart edge and endpoint protection and rigorously patched software to ensure that Flash exploits don't end up on your network," Liu said. — Joel Locsin/LBG, GMA News
source: gmanetwork.com
