Macromedia Flash security hole affects Windows, Unix

A security hole in the widely used Macromedia Inc. Shockwave Flash file format used with Web browsers can allow an attacker to execute code of their choice on affected systems, according to a new security alert released Friday by eEye Digital Security Inc.

The vulnerability is limited, however, to Shockwave Flash files edited by hand with a binary editor, meaning that the Flash application will not produce files that contain the vulnerability on its own, according to a separate security alert from Macromedia, which is based in San Francisco.

The vulnerability is serious because it affects Web browsers, which are trusted by firewalls to receive incoming traffic, and because it affects all versions of Shockwave Flash used in the Internet Explorer and Netscape Navigator Web browsers running on both Windows and Unix, eEye said.

The flaw comes as the result of a problem in the data header of Shockwave Flash files which allows an attacker to supply more data to the file decoder than is expected and in turn can eventually lead to code execution, eEye said.

Because the vulnerability is browser-based, it can be exploited in any situation in which a Web browser views a Shockwave Flash file, such as on Web pages, in e-mail or newsgroups, eEye wrote.

Macromedia has released a new Flash player that addresses the flaw and is available at http://www.macromedia.com/v1/handlers/index.cfm?ID=23293&Method=Full&TitlePSB02%2D09%20%2D%20Macromedia%20Flash%20Malformed%20Header%20Vulnerability%20Issue&Cache=False. More information about he vulnerability is also located at that address.

EEye, which has found numerous other vulnerabilities in applications like Microsoft Corp.'s IIS (Internet Information Services), discovered another security hole in Flash in May. More Macromedia bug reports are likely to come, though, as eEye warned in its alert that it had found about 17 other vulnerabilities in Flash.

More about: eEye Digital Security, Macromedia, Microsoft

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/145/microsoft-security-essentials/

Microsoft Security Essentials

Microsoft Security Essentials provides your home PC with real-time protection. It constantly uses the latest technology ensuring that you will always stay up to date ...

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia