[ISN] Another Security Hole Found In Macromedia Flash

From: InfoSec News (isnat_private)
Date: Wed Feb 27 2002 - 00:31:55 PST

  • Next message: InfoSec News: "[ISN] New York Times Intranet, Source Database Hacked"

    Forwarded from: William Knowles <wkat_private>
    By Brian McWilliams, Newsbytes
    26 Feb 2002, 2:03 PM CST
    A new technique for embedding malicious code in Flash files has been
    discovered, prompting Macromedia to patch its standalone Flash player.
    Using an undocumented feature in the Flash 5 authoring tool, a
    Macromedia customer found it was possible to create a "Trojaned" Flash
    movie that, when viewed using the standalone Flash player, would place
    a malicious script on the viewer's computer.
    An advisory and a harmless demonstration of the new flaw was posted on
    the Web this week by the Macromedia customer, who uses the nickname
    According to Vengy, Flash 5 supports an undocumented ActionScript
    command called fscommand:save that enables Flash developers to save
    the main timeline variables of a movie to a file.
    Vengy's demo showed how the "save" command could be used to create a
    batch program on the hard disk of Flash standalone player users who
    viewed a movie containing the Trojan horse code. In the demo, the
    Trojan program executed when the victim rebooted his or her computer.
    A Macromedia representative today said the company released an updated
    version of its standalone Flash player Monday, and that the "save"  
    feature would be removed from future versions of the player.
    Last month, in response to reports of the first virus designed to
    infect Flash files, Macromedia removed a related feature from its
    standalone Flash player that enabled Flash movies to execute external
    programs on the viewer's system.
    Neither the new vulnerability nor January's SWF/LFM-926 virus affects
    the millions of users of Macromedia's browser-based Flash plug-in or
    ActiveX control. Those players do not have access to special commands,
    and Flash files played back through a browser are secure, according to
    The standalone Flash player is included with Macromedia's Flash
    authoring system, a commercial product that is used by developers to
    create presentations in the popular Shockwave Flash (SWF) format.
    Responding to Vengy's report on how to exploit the fscommand:save
    feature, Macromedia updated its standalone Flash player available for
    download from its site. However the company had not yet issued a
    technical note announcing the vulnerability. Nor was the updated
    player included in the Flash 5 trial available for download today.
    The SWF/LFM-926 virus exploited a related ActionScript command known
    as fscommand:exec to propagate itself to other Flash files on the
    victim's PC.
    In response to the discovery of the virus, in January Macromedia
    released an update to its standalone Flash player that causes the
    player to ignore the "exec" action.
    For Flash authors who wished to retain the exec feature and not update
    their standalone Player, Macromedia also released a utility that
    cleared the Shockwave Flash (SWF) file type association from the
    Windows registry.
    Shane Coursen, a virus expert and CEO of WildList Organization
    International, said the "save" vulnerability, like the SWF/LFM-926
    virus, was "mainly academic" and unlikely to affect many people.
    "Since these flaws only affect the authorware version of Flash, it's
    unlikely they'll be exploited in a widespread way," said Coursen.
    Still, Coursen advised sites hosting Flash content to redouble their
    efforts to ensure the security and authenticity of their SWF files.
    Vengy's advisory on the Flash "save" vulnerability is at
    Macromedia's technical note on the "exec" hole is at
    A description of the SWF/LFM-926 virus is at
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Feb 27 2002 - 04:55:04 PST