Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » 'Flash!' Aaargghh... here to hack every one of us

'Flash!' Aaargghh... here to hack every one of us

by Nikola Strahija on December 18th, 2002 A new threat is being posed to computer security, with a warning that Macromedia Flash files can be adjusted to compromise a PC or Mac as long as its user views the file in a web browser - or even an email.


A flaw found in Macromedia's animation software leaves web surfers vulnerable to attack when they visit an internet site or, even open an email according to security firm eEye Digital Security.

An attacker could create a hand-edited Macromedia Flash, or SWF, file that can compromise a PC or Macintosh if its user views the file with the Shockwave Flash Player plug-in for Internet Explorer, Netscape or other browsers.

The flaw's danger is compounded by the fact that Flash is so widespread and the software doesn't have a built-in upgrade system, said Marc Maiffret, chief hacking officer for eEye.

Maiffret said: "Almost every user is going to have Flash, so they can become compromised. Unless the user is smart enough to get the latest version of Flash, then they are going to be vulnerable."

More than 90 per cent of web browsers have the Flash software installed, according to Macromedia. While nearly 53 per cent of web surfers use the latest version, Shockwave Flash Player 6, the number still falls well short of the total, underscoring the problem of convincing people to upgrade.

Macromedia warned its developers of the problem last Friday, said Troy Evans, product manager for the Flash Player. He added that the only way to notify software users that they need to get the latest software is by modifying Flash animations to require the newest versions, so the company is focused on getting developers to do more updates.

Although getting users to upgrade is a challenge, Evans said, the company has been fairly successful. "We have three million downloads per day, so the players that are out there are getting updated," he said.

The flaw affects the Flash plug-in for browsers on Windows, Unix, Linux and Mac.

By editing the header of a Flash file, an attacker can cause the file to execute commands and compromise the computer system. In some cases, it's possible to cause HTML email to perform a similar attack, eEye said in its advisory.

The danger of flaws that require a victim to go to a specific website tends to be offset by the fact that a website can be shut down fairly quickly. For that reason, a virus that attempts to use a vulnerability in Flash or another web technology usually has a limited effect.

In many respects, the flaw resembles another vulnerability that eEye found in the Flash Player in August. That flaw also allowed an attacker to modify the header of an SWF file and cause the Flash Player to compromise the machine on which the software was running.

Maiffret said: "The outcome of the attack is basically identical to the one back in August. It just goes to show that the average software company is in great need of real-world security" checking.

- article available from http://www.silicon.com -


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »