Breaking News: Research key to good apps: Westpac CIO

ZDNet / Macromedia / Story

Compromised in a Flash: Macromedia flaw found

By Robert Lemos, ZDNet.com.au on December 18th, 2002 
Submit
A flaw found in Macromedia's animation software leaves Web surfers vulnerable to attack when they visit an Internet site or, possibly, open an e-mail, a security firm said Tuesday.

The vulnerability, found by security firm eEye Digital Security, allows an attacker to create a hand-edited Macromedia Flash, or SWF, file that can compromise a PC or Macintosh if its user views the file with the Shockwave Flash Player plug-in for Internet Explorer, Netscape or other browsers.

The flaw's danger is compounded by the fact that Flash is so widespread and the software doesn't have a built-in upgrade system, said Marc Maiffret, chief hacking officer for eEye.

"Almost every user is going to have Flash, so they can become compromised," Maiffret said. "Unless the user is smart enough to get the latest version of Flash, then they are going to be vulnerable."

More than 90 percent of Web browsers have the Flash software installed, according to Macromedia. While nearly 53 percent of Web surfers use the latest version, Shockwave Flash Player 6, the number still falls well short of the total, underscoring the problem of convincing people to upgrade.

Macromedia warned its developers of the problem last Friday, said Troy Evans, product manager for the Flash Player. He added that the only way to notify software users that they need to get the latest software is via new versions of Flash animations, so the company is focused on getting developers to do more updates.

Although getting users to upgrade is a challenge, Evans said, the company has been fairly successful. "We have 3 million downloads per day, so the players that are out there are getting updated," he said.

The flaw affects the Flash plug-in for browsers on Windows, Unix, Linux and the Macintosh.

By editing the header of a Flash file, an attacker can cause the file to execute commands and compromise the computer system. In some cases, it's possible to cause HTML e-mail to perform a similar attack, eEye said in its advisory.

The danger of flaws that require a victim to go to a specific Web site tends to be offset by the fact that a Web site can be shut down fairly quickly. For that reason, a virus that attempts to use a vulnerability in Flash or another Web technology usually has a limited effect.

In many respects, the flaw resembles another vulnerability that eEye found in the Flash Player in August. That flaw also allowed an attacker to modify the header of an SWF file and cause the Flash Player to compromise the machine on which the software was running.

"The outcome of the attack is basically identical to the one back in August," Maiffret said. "It just goes to further show that the average software company is in great need of real-world security" checking.

Talkback

Add your opinion

In order to post a comment, you need to be registered. (Sign In or register below)

Post your comment

Terms of Service - As a ZDNet registrant, and by using this service, you indicate that you agree to our Terms and Conditions and have read and understand our Privacy Policy.

Resource Centre Useful content from our premier sponsors

ZDNet Australia Live

by http://t.co/vmlLt4bh: SA Health's journey to e-health: Implementing e-health services for an entire state is a... http://t.co/NVrBd9c5

Facebook investor to sue Nasdaq over alleged bungled orders: http://t.co/XGRsNzA4 ^LH

Combining @Ariba's network & @SAP's applications - "SAP eyes cloud super network with Ariba buy" http://t.co/jeMWEKpB

SA Health's journey to e-health: Implementing e-health services for an entire state is a daunting task, but, as ... http://t.co/Vwchau6N

RT @JamesVickery: Google warns users of DNSChanger malware http://t.co/DsHUnC5r

Upskill. RT @zdnetaustralia Job vacancies are down 22 per cent on a year ago. So what are IT professionals to do? http://t.co/PrFEBfqS ^ST

Google warns users of DNSChanger malware http://t.co/DsHUnC5r

National Botnet Network coming: Earthwave http://t.co/t49r3IV0

Surely IT is more than just a game? http://t.co/WvSk0C0N

RT @JLLLOW: Revolution. RT @zdnetaustralia: Job vacancies are down 22 per cent on a year ago. So what are IT professionals to do? http://t.co/rdjqdACC

Revolution. RT @zdnetaustralia: Job vacancies are down 22 per cent on a year ago. So what are IT professionals to do? http://t.co/rdjqdACC

Google has joined in on the chorus of organisations warning users about DNSChanger infections http://t.co/ysaIHiuG ^ML

Akku Asus A32-K72 Original,Kompatibler Ersatz akku für Li-ion Asus A32-K72 Original Laptop Akkus Asus A32-K72 Original,A32-K72 Original...

5 hours ago by akkuakku on HP Compaq 6730b

It is great to see the NSW government taking this step, however there's plenty of home-grown talent loeaving or being rediverted due to l...

5 hours ago by Aceyducey on NSW Govt appoints Silicon Valley champion

Job vacancies are down 22 per cent on a year ago. So what are IT professionals to do? http://t.co/EpY9YiFg ^ST

by http://t.co/vmlLt4bh: JobWatch: where the jobs are: The latest analysis on online job ads from the Department ... http://t.co/nh1wg7Y6

@chieftech @zdnetaustralia that's a fair call. Still an area that requires consideration work. BYOD = BYOViruses & Malware :)

JobWatch: where the jobs are http://t.co/Lqo8BNVT

EMC hones focus on hybrid cloud big data Hardware News ZDNet Australia: EMC has launched 42 prod... http://t.co/uR56HXDz #bigdata #blogs

Are specific gaming development degrees bollocks? http://t.co/z2zbaWvT ^ST

#NSW Govt announces shopfront in Silicon Valley + 7 consortia to dev #mobile for public sector http://t.co/GPrIXH4F via @johnW3LLS #govcamp

JobWatch: where the jobs are: The latest analysis on online job ads from the Department of Education, Employment... http://t.co/qJce42h2

RT @johnW3LLS: #NSW Govt announces shopfront in Silicon Valley + 7 consortia to dev #mobile for public sector http://t.co/JDSdSxWu #gov2au

RT @zdnetaustralia: Android fragmentation threw a spanner into Victorian Health's app strategy: http://t.co/4pkmnkMB ^LH

What Microsoft won't tell you about Windows 7 licensing http://t.co/Y2e6sXdI #Win7

#Android fragmentation steers Vic Health - @ZDNet Australia : http://t.co/chrmWl7B

RT @zdnetaustralia: Android fragmentation threw a spanner into Victorian Health's app strategy: http://t.co/4pkmnkMB ^LH

Android fragmentation steers Vic Health - ZDNet Australia: Android fragmentation steers Vic Healt... http://t.co/VTbMBy5A #android #news

by http://t.co/vmlLt4bh: Android fragmentation steers Vic Health: Fragmentation issues in Android were a key conc... http://t.co/wOmHdAav

Android fragmentation steers Vic Health http://t.co/CqTImM5l

Android fragmentation steers Vic Health - ZDNet Australia: Android fragmentation steers Vic... http://t.co/3ssDp1SW http://t.co/KpTZdvuO

Android fragmentation steers Vic Health: Fragmentation issues in Android were a key concern for the Victorian De... http://t.co/NnjPEqSu

Android fragmentation steers Vic Health http://t.co/jcB7UGer

Chrome beats Internet Explorer in global Web browser race | ZDNet http://t.co/7G7xMfJj

Android fragmentation steers Vic Health: Fragmentation issues in Android were a key concern for the Victorian De... http://t.co/HLdurfS5

Mining the social data stream for deeper customer insight | via @ZDNet http://t.co/x4xouPQh)

Android fragmentation steers Vic Health http://t.co/A6SJkfJw

But this is the thing. There are still plenty of good-quality graduates whose skills can raise seasoned professional eyebrows... if they ...

7 hours ago by techkid on Skills shortage: companies being too picky?

I wouldn't have called Vista cheesy. Its GUI was pretty slick (and indeed handed on to Windows 7). It was, however, poorly implemented, h...

7 hours ago by techkid on Microsoft admits Vista was 'cheesy'

Thanks Nelson, it should be right now.

-Michael.

7 hours ago by Mukimu on Ausgrid network to talk back to operators

I guess the mouse was a necessary evil at the time. I mean, yes, keyboard shortcuts in the right hands are faster than any mouse action (...

7 hours ago by techkid on Microsoft admits Vista was 'cheesy'

fyi google may always lie

7 hours ago by rt luvs youh on Google shows we're killing our language

they probaly always lie about in4mation bout people

7 hours ago by rt luvs youh on Google shows we're killing our language

$6.7million, now we know the price to the tax payer of a government IT project clean up. You've got to ask the question don't you: why o...

8 hours ago by Takenforgranted on Vic scraps HealthSMART system

why some mp4 files with higher frame width can not be played in my 3m mp180??

9 hours ago by cyrusmann_ymail.com on 3M MP180 Pocket Projector

Unfortunately there is NO such place as Nelson's Bay. It's Nelson Bay!! Probably not your fault for the error, as your Media Release prob...

9 hours ago by Nelson on Ausgrid network to talk back to operators

@Wow - thats one of the benefits of the iPad (and tablets in general). They are one of the most generation neutral products ever made. ...

11 hours ago by Gav on Westpac board goes paperless with iPads

and why is this such a super idea? http://www.itnews.com.au/News/301778,thousands-affected-in-billing-cloud-breach.aspx oh, yeah, right...

11 hours ago by btone on Fed Govt steps up on shared cloud plan

Wow, seems like a fantastic initiative that helps to save the environment. It must have taken a lot of convincing to get the Board to mov...

12 hours ago by Wow on Westpac board goes paperless with iPads

I'm a payed up lib member who has voted Labor in the last 2 federal elections. I had the previlege of speaking to Mr Turnball 3 months ag...

12 hours ago by spazmanaught on NBN contracts may be left alone: Turnbull

Good to see Westpac's concentrating on the real IT issues !

12 hours ago by jeff_syd on Westpac board goes paperless with iPads

I am not sure how this issue becomes an attack on Mr Turnbull. But I guess he is fair game. In any event I would have thought a Ddos woul...

23 hours ago by Doubt on National Botnet Network coming: Earthwave

I still use 98SE. Windows ME was an abortion in a bucket and Vista was ME without the bucket. My screen may look boring, but I jumped str...

23 hours ago by Treknology on Microsoft admits Vista was 'cheesy'

This story has been voted 10 times in the last 24 hours!

1 day ago, CeBIT 2012 opens: photos

This story has been voted 15 times in the last 24 hours!

1 day ago, Lenovo ThinkPad 3G tablet (32GB)

Well I don't know what they have done with their EFTPOS machines, local one in WA Coles Express I used this morning and I normally do "ch...

1 day ago by harryinthesoup on Coles ditches PINs in payment pilot

6.7 M last ditch attempt - interesting - The Auckland region (population 1.4 mil) has estimated to have spent less than this in total ...

1 day ago by debsteele on Vic scraps HealthSMART system

Facebook Activity

Keep up with ZDNet Australia

LinkedinLinkedin Join our network

RSS FeedsRSS Feeds Subscribe now

NewslettersNewsletters Subscribe today

AlertAlertsSubscribe now

ZDNet Events Calendar

ZDNet Events Calendar

Plan Comparison

Prev Next
Loading...
Deals powered by WhistleOut

Sponsored resources