[ISN] Macromedia reports critical hole in Flash player

From: InfoSec News (isnat_private)
Date: Tue Mar 04 2003 - 23:53:01 PST

  • Next message: InfoSec News: "[ISN] REVIEW: "Security in Computing", Charles P. Pfleeger/Shari Lawrence Pfleeger"

    By James Niccolai
    IDG News Service
    MARCH 04, 2003
    Macromedia Inc. warned yesterday of a "critical" security flaw in the
    latest version of its Flash animation player and advised users to
    install a new version that it released on the Web to fix the problem.  
    The security flaw affects Version 6 of the Macromedia Flash Player,
    which was released a year ago this month and has been installed on an
    estimated 75% of PCs worldwide, according to the company.
    The vulnerability affects the integrity of the player's "sandbox,"  
    which is supposed to act as a cordoned-off area where Flash code
    retrieved from the Web can be run safely, without access to a user's
    files. The flaw could allow a malicious hacker to run native code on a
    user's computer, outside the sandbox, possibly without the user's
    knowledge, according to information on the company's Web site.
    No users had reported having been affected by the problem as of
    yesterday evening, a Macromedia representative said. Nevertheless, the
    San Francisco-based company advised users to download a new version of
    the player -- Version -- from its Web site immediately.
    Besides fixing the latest vulnerability, the new version serves as a
    cumulative patch, fixing other security flaws reported since the
    product's release, including memory buffer overflows, Macromedia said.  
    It also offers other tweaks intended to boost performance of the
    The company offered few other details, saying only that the
    vulnerability was reported to Macromedia "recently" by a third party.
    The bulletin, with a link to the download site, is at
    Macromedia sought to assure users of the steps it takes to make its
    products secure. These include hiring experts outside the company to
    run "penetration" tests on its products before they are released, it
    said. The company recently appointed Paul Madar as chief security
    officer to oversee security in its products.
    The company has issued more than 15 security patches, bulletins and
    notifications over the past year, according to its Web site. It
    recently implemented a ranking system similar to that used by
    Microsoft Corp. and other software vendors, designating
    vulnerabilities as "critical," "important," "moderate" and "low."
    "The testing program finds many issues prior to product shipment. But
    while we strive to improve the program, we can still miss issues,"  
    Madar wrote in a recent posting on the company's Web site.
    Flash is the most popular format for creating animation for Web sites.  
    In December, the free Flash Player had been installed on 98% of PCs
    worldwide, or close to half a billion machines, and about
    three-quarters of them were running Flash Player 6, according to a
    survey conducted for Macromedia by research company NPD Online.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Mar 05 2003 - 03:11:01 PST