Macromedia investigates Flash security

[InfoSec News <isn () C4I ORG>]

http://www.zdnet.co.uk/news/2001/0/ns-20009.html

Thu, 04 Jan 2001 15:24:55 GMT
Will Knight

It could be serious, but history suggests there's little to lose sleep
over.

Software giant Macromedia is investigating reports that its Flash
Player plugin for Internet browsers could allow malicious hackers
access to computers connected to the Internet.

An advisory reported to the popular security mailing list Bugtraq on 2
January that a flaw in Flash -- which allows Internet users to
playback multimedia content embedded into Web pages -- could enable a
malicious user to launch an attack.

The advisory suggests the software has a buffer overflow
vulnerability, which gets around the program's built in security. This
could allow unauthorised, potentially malicious, code to be executed
on a PC.

A spokeswoman for Macromedia says that the company's technical staff
are investigating the situation. "It is a serious issue but there have
been issues in the past that have arisen and there has not been a
flaw," says the spokeswoman. "We need to look into it before we can
comment."

Although the author of the alert suggests the vulnerability could be
exploited to upload viruses, Trojan horses or other malicious code to
a computer with Flash installed, one security expert thinks most users
are safe.

"Its unlikely, based on past history," says Eric Chien, chief
researcher at SARC, Symantec's Antivirus Research Centre. Chien says
that providing Macromedia provides a swift patch and users install it,
there is little danger. He believes, however, that virus writers may
start exploiting this sort of vulnerability before long.

According to Macromedia's own figures Flash is used by 96 percent of
all Web users.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".