Compromised in a Flash

A flaw found in Macromedia's Web animation software leaves Web surfers vulnerable to attack when they visit an Internet site or, possibly, open an e-mail.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
A flaw found in Macromedia's animation software leaves Web surfers vulnerable to attack when they visit an Internet site or, possibly, open an e-mail, a security firm said Tuesday.

The vulnerability, found by security firm eEye Digital Security, allows an attacker to create a hand-edited Macromedia Flash, or SWF, file that can compromise a PC or Macintosh if its user views the file with the Shockwave Flash Player plug-in for Internet Explorer, Netscape or other browsers.

The flaw's danger is compounded by the fact that Flash is so widespread and the software doesn't have a built-in upgrade system, said Marc Maiffret, chief hacking officer for Aliso Viejo, Calif.-based eEye.

"Almost every user is going to have Flash, so they can become compromised," Maiffret said. "Unless the user is smart enough to get the latest version of Flash, then they are going to be vulnerable."

More than 90 percent of Web browsers have the Flash software installed, according to Macromedia. While nearly 53 percent of Web surfers use the latest version, Shockwave Flash Player 6, the number still falls well short of the total, underscoring the problem of convincing people to upgrade.

Macromedia warned its developers of the problem last Friday, said Troy Evans, product manager for the Flash Player. He added that the only way to notify software users that they need to get the latest software is by modifying Flash animations to require the newest versions, so the company is focused on getting developers to do more updates.

Although getting users to upgrade is a challenge, Evans said, the company has been fairly successful. "We have 3 million downloads per day, so the players that are out there are getting updated," he said.

The flaw affects the Flash plug-in for browsers on Windows, Unix, Linux and the Macintosh.

News.com Special Report
Vision Series 3
20 minds on tech's future

By editing the header of a Flash file, an attacker can cause the file to execute commands and compromise the computer system. In some cases, it's possible to cause HTML e-mail to perform a similar attack, eEye said in its advisory.

The danger of flaws that require a victim to go to a specific Web site tends to be offset by the fact that a Web site can be shut down fairly quickly. For that reason, a virus that attempts to use a vulnerability in Flash or another Web technology usually has a limited effect.

In many respects, the flaw resembles another vulnerability that eEye found in the Flash Player in August. That flaw also allowed an attacker to modify the header of an SWF file and cause the Flash Player to compromise the machine on which the software was running.

"The outcome of the attack is basically identical to the one back in August," Maiffret said. "It just goes to further show that the average software company is in great need of real-world security" checking.