A flaw found in Macromedia's animation software leaves Web surfers vulnerable to attack when they visit an Internet site or, possibly, open an e-mail, a security firm said Tuesday.
The vulnerability, found by security firm eEye Digital Security, allows an attacker to create a hand-edited Macromedia Flash, or SWF, file that can compromise a PC or Macintosh if its user views the file with the Shockwave Flash Player plug-in for Internet Explorer, Netscape or other browsers.
The flaw's danger is compounded by the fact that Flash is so widespread and the software doesn't have a built-in upgrade system, said Marc Maiffret, chief hacking officer for Aliso Viejo, Calif.-based eEye.
"Almost every user is going to have Flash, so they can become compromised," Maiffret said. "Unless the user is smart enough to get the latest version of Flash, then they are going to be vulnerable."
More than 90 percent of Web browsers have the Flash software installed, according to Macromedia. While nearly 53 percent of Web surfers use the latest version, Shockwave Flash Player 6, the number still falls well short of the total, underscoring the problem of convincing people to upgrade.
Macromedia warned its developers of the problem last Friday, said Troy Evans, product manager for the Flash Player. He added that the only way to notify software users that they need to get the latest software is by modifying Flash animations to require the newest versions, so the company is focused on getting developers to do more updates.
Although getting users to upgrade is a challenge, Evans said, the company has been fairly successful. "We have 3 million downloads per day, so the players that are out there are getting updated," he said.
The flaw affects the Flash plug-in for browsers on Windows, Unix, Linux and the Macintosh.
News.com Special Report Vision Series 3 20 minds on tech's future
By editing the header of a Flash file, an attacker can cause the file to execute commands and compromise the computer system. In some cases, it's possible to cause HTML e-mail to perform a similar attack, eEye said in its advisory.
The danger of flaws that require a victim to go to a specific Web site tends to be offset by the fact that a Web site can be shut down fairly quickly. For that reason, a virus that attempts to use a vulnerability in Flash or another Web technology usually has a limited effect.
In many respects, the flaw resembles another vulnerability that eEye found in the Flash Player in August. That flaw also allowed an attacker to modify the header of an SWF file and cause the Flash Player to compromise the machine on which the software was running.
"The outcome of the attack is basically identical to the one back in August," Maiffret said. "It just goes to further show that the average software company is in great need of real-world security" checking.
Join the conversation
Comment replyThe posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.
Web giant is spending $120 million to beef up its Mountain View, Calif., headquarters, according to filings with the city reviewed by the San Jose Mercury News.
The Samsung Galaxy mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
Tor's "obfsproxy" technology would make encrypted data look innocuous and let it dodge government censors. That could help citizens in Iran reach blocked sites as antigovernment protests reportedly loom.
MIT creates a simulation to celebrate the 50th anniversary of Spacewar. A relic of the early days of minicomputers, it was one of the first computer video games and set the stage for many others, including Asteroids.
Join the conversation