Critical Flash Flaw Found, Fixed
The vulnerability, said eEye Digital Security, the Aliso Viejo-Calif.-based company that discovered the flaw, is in the code of Flash.ocx, the component responsible for playing back .swf files (Flash content files). An attacker who manages to entice a user to a malicious Web site with a malformed Flash file could grab control of the PC, said eEye, if that user was running Windows with Administrator rights.
"We've assigned it our "High' rating, which means the vulnerability allows for code execution," said Steve Manzuik, the research team lead at eEye. "There's one caveat: it happens in the context of a logged-in user. But with the number of people running, say, Windows XP Home as an Administrator, that's still dangerous."
Other security firms have given the bug a similarly high ranking. Secunia, a Danish vulnerability tracker, listed the Flash flaw as "Highly critical," just one step from the top of its rating system. Macromedia itself acknowledged it as a "critical" bug in its own security advisory.
Macromedia has patched the vulnerability, which exists in Flash 6 and 7 for Windows, and has posted an updated edition -- version 8.0.22.0 -- which corrects the problem. (Windows 95 or NT users can't install Flash 8, so Macromedia has posted a separate fix for them, dubbed "7.0.60.0.") Although eEye has created exploit code that leverages this vulnerability when using Internet Explorer to view Flash content, there's nothing about Microsoft's browser that makes it particularly vulnerable.
"The flaw is in Flash, not the browser," said Manzuik. "There's no reason why the exploit wouldn't work in Firefox as well."
eEye reported the bug to Macromedia more than four months ago -- June 27, 2005 -- but as is its custom, it delayed making any of the details public until the vendor had a fixed edition ready to roll out.
eEye expects a busy month, said Manzuik. One or more of the vulnerabilities to be disclosed by Microsoft on Tuesday in its normal monthly security bulletin schedule are credited to eEye, he said. Later this month, a fix for one of the two vulnerabilities listed by eEye for RealNetworks' products will come down the pike.
eEye takes the unusual step of posting very general information about reported, but not patched, vulnerabilities, along with the number of days a vendor has had that information. For instance, the two RealNetworks' flaws were reported June 28 and July 1, 2005, and even with a 60-day grace period, fixes are 72 and 69 days overdue, respectively. Both RealNetworks bugs are rated as a "High" risk.
The last critical flaw in Flash was found nearly two years ago.
E-document giant Adobe is in the final process of acquiring the San Francisco-based Macromedia. Shareholders have given the merger a green light, as has the U.S. Department of Justice. Final approval only awaits some European jurisdictions, Macromedia has said.