Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

Security Hole -- Compromised in a Flash

From: Dave Farber <dave () farber net>
Date: Wed, 18 Dec 2002 08:13:56 -0500
Compromised in a Flash
By Robert Lemos 
Special to ZDNet News
December 17, 2002, 2:59 PM PT
URL: http://zdnet.com.com/2100-1105-978261.html

A flaw found in Macromedia's animation software leaves Web surfers
vulnerable to attack when they visit an Internet site or, possibly, open an
e-mail, a security firm said Tuesday.

The vulnerability, found by security firm eEye Digital Security, allows an
attacker to create a hand-edited Macromedia Flash, or SWF, file that can
compromise a PC or Macintosh if its user views the file with the Shockwave
Flash Player plug-in for Internet Explorer, Netscape or other browsers.

The flaw's danger is compounded by the fact that Flash is so widespread and
the software doesn't have a built-in upgrade system, said Marc Maiffret,
chief hacking officer for Aliso Viejo, Calif.-based eEye.

"Almost every user is going to have Flash, so they can become compromised,"
Maiffret said. "Unless the user is smart enough to get the latest version of
Flash, then they are going to be vulnerable."

More than 90 percent of Web browsers have the Flash software installed,
according to Macromedia. While nearly 53 percent of Web surfers use the
latest version, Shockwave Flash Player 6, the number still falls well short
of the total, underscoring the problem of convincing people to upgrade.

Macromedia warned its developers of the problem last Friday, said Troy
Evans, product manager for the Flash Player. He added that the only way to
notify software users that they need to get the latest software is by
modifying Flash animations to require the newest versions, so the company is
focused on getting developers to do more updates.

Although getting users to upgrade is a challenge, Evans said, the company
has been fairly successful. "We have 3 million downloads per day, so the
players that are out there are getting updated," he said.

The flaw affects the Flash plug-in for browsers on Windows, Unix, Linux and
the Macintosh. 

By editing the header of a Flash file, an attacker can cause the file to
execute commands and compromise the computer system. In some cases, it's
possible to cause HTML e-mail to perform a similar attack, eEye said in its
advisory. 

The danger of flaws that require a victim to go to a specific Web site tends
to be offset by the fact that a Web site can be shut down fairly quickly.
For that reason, a virus that attempts to use a vulnerability in Flash or
another Web technology usually has a limited effect.

In many respects, the flaw resembles another vulnerability that eEye found
in the Flash Player in August. That flaw also allowed an attacker to modify
the header of an SWF file and cause the Flash Player to compromise the
machine on which the software was running.

"The outcome of the attack is basically identical to the one back in
August," Maiffret said. "It just goes to further show that the average
software company is in great need of real-world security" checking."

To updatesee

http://www.macromedia.com/v1/handlers/index.cfm?ID=23569

djf

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To unsubscribe or update your address, click
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: