 |
• August 15, 2002 •
Macromedia last week warned users that its Flash Player, a popular application for playing multimedia files, contains a vulnerability that could allow attackers to run malicious code on Windows and Unix-based operating systems.
Macromedia was alerted to the vulnerability by eEye Digital Security, who discovered the flaw. The flaw exists where a hand edited malformed Macromedia Flash movie (SWF) header can be exploited to cause a buffer over-write issue which could potentially lead to execution of arbitrary code.
Since this is a browser based bug, it makes it trivial to bypass firewalls and attack the user at his desktop - according to eEye, who also stated that "This vulnerability has been proven to work with all versions of Macromedia Flash on Windows and Unix, through IE and Netscape. It may be run wherever Shockwave files may be displayed or attached, including: websites, email, news postings, forums, Instant Messengers, and within applications utilizing web-browsing functionality."
According to Macromedia it has isolated the issue and released an updated player (6,0,40,0) which is available for download on the Macromedia Player Download Center.
