Macromedia Flash Player Lets Malicious Flash Media Files Execute Scripts on the User's Host Without Requiring User Approval
|
Date: Jan 11 2002
|
Impact: Execution of arbitrary code via network
|
Vendor Confirmed: Yes
|
Version(s): 5.0 and above
|
Description: A vulnerability was reported in Macromedia's stand-alone Flash Player for Windows. A remote user can create malicious content that, when executed by a user, will cause a malicious script to run on the user's host.
Sophos Anti-Virus reported that Macromedia Flash Player will run scripts on the user's host without requiring user approval to execute
the script. This reportedly only affects the stand-alone Flash Player or Projector that is installed with the Macromedia Flash
authoring product and does not affect web-browser based Flash plug-ins.
|
Impact: A remote user can create and distribute a malicious Flash media file that, when loaded into a user's stand-alone Flash Player or Projector, will execute a script containing malicious code.
|
Solution: The vendor is reportedly working on a fix. For more information on the pending patch, see:
http://www.macromedia.com/support/flash/
As
a workaround, the vendor recommends removing the file associations on your operating system between SWF files and the Flash Player.
The vendor has released a utility to perform this (SWF Clear Utility), available at:
http://download.macromedia.com/pub/flash/utility/swf_clear_utility.zip
Accordi
ng to the vendor, "This utility removes file type associations for the SWF file format. The result is that opening any SWF file
will cause the operating system to prompt you to indicate which program to open the file with. Subsequently, if you receive this
prompt when attempting to open a SWF file, cancel the procedure and do not open the file to ensure greatest security. Note: Reinstalling
the Flash application will re-associate the file type. If you need to reinstall Flash, run the SWF Clear Utility again for maximum
security."
|
Vendor URL: www.macromedia.com/support/flash/ts/documents/swf_clear.htm (Links to External Site)
|
Cause: State error
|
Underlying OS: Windows (Any)
|
Reported By: Peter Santangeli <psantangeli@macromedia.com>
|
Message History:
None.
|
Source Message Contents
|
Date: 9 Jan 2002 01:44:47 -0000
From: Peter Santangeli <psantangeli@macromedia.com>
Subject: Shockwave Flash player issue
|
Macromedia was recently informed of a potential
issue with the standalone Macromedia Flash Player
running on Microsoft Windows. This issue does not
affect web content viewed in a browser.
After testing by both Macromedia and Sophos Anti-
virus, the company who initially reported this potential
issue, Macromedia has found that this issue can only
affect content that is sent via email or downloaded
from a site and then run outside a browser.
In either case, the content must be run in a
Macromedia stand-alone Flash Player or associated
Projector executable to represent a risk. This player
is not installed by any browser installation, and is only
installed with the Macromedia Flash authoring
product.
Macromedia appreciates the work of Sophos in
reporting this potential issue, and will be issuing a
patch later this week; a fix will also be included in
future versions of the product.
For more information on the patch please visit:
http://www.macromedia.com/support/flash/.
Macromedia will continue to take potential security
issues very seriously. Security issues concering the
Macromedia Flash player may be mailed to
flashplayer_security@macromedia.com.
Pete Santangeli, Vice President of Engineering,
Macromedia Inc.
|
|
