'[ISN] Another Security Hole Found In Macromedia Flash'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Another Security Hole Found In Macromedia Flash
From:       InfoSec News <isn () c4i ! org>
Date:       2002-02-27 8:31:55
[Download RAW message or body]

Forwarded from: William Knowles <wk@c4i.org>

http://www.newsbytes.com/news/02/174783.html

By Brian McWilliams, Newsbytes
SAN FRANCISCO, CALIFORNIA, U.S.A.,
26 Feb 2002, 2:03 PM CST
 
A new technique for embedding malicious code in Flash files has been
discovered, prompting Macromedia to patch its standalone Flash player.

Using an undocumented feature in the Flash 5 authoring tool, a
Macromedia customer found it was possible to create a "Trojaned" Flash
movie that, when viewed using the standalone Flash player, would place
a malicious script on the viewer's computer.
 
An advisory and a harmless demonstration of the new flaw was posted on
the Web this week by the Macromedia customer, who uses the nickname
Vengy.

According to Vengy, Flash 5 supports an undocumented ActionScript
command called fscommand:save that enables Flash developers to save
the main timeline variables of a movie to a file.

Vengy's demo showed how the "save" command could be used to create a
batch program on the hard disk of Flash standalone player users who
viewed a movie containing the Trojan horse code. In the demo, the
Trojan program executed when the victim rebooted his or her computer.

A Macromedia representative today said the company released an updated
version of its standalone Flash player Monday, and that the "save"  
feature would be removed from future versions of the player.

Last month, in response to reports of the first virus designed to
infect Flash files, Macromedia removed a related feature from its
standalone Flash player that enabled Flash movies to execute external
programs on the viewer's system.

Neither the new vulnerability nor January's SWF/LFM-926 virus affects
the millions of users of Macromedia's browser-based Flash plug-in or
ActiveX control. Those players do not have access to special commands,
and Flash files played back through a browser are secure, according to
Macromedia.

The standalone Flash player is included with Macromedia's Flash
authoring system, a commercial product that is used by developers to
create presentations in the popular Shockwave Flash (SWF) format.

Responding to Vengy's report on how to exploit the fscommand:save
feature, Macromedia updated its standalone Flash player available for
download from its site. However the company had not yet issued a
technical note announcing the vulnerability. Nor was the updated
player included in the Flash 5 trial available for download today.

The SWF/LFM-926 virus exploited a related ActionScript command known
as fscommand:exec to propagate itself to other Flash files on the
victim's PC.

In response to the discovery of the virus, in January Macromedia
released an update to its standalone Flash player that causes the
player to ignore the "exec" action.

For Flash authors who wished to retain the exec feature and not update
their standalone Player, Macromedia also released a utility that
cleared the Shockwave Flash (SWF) file type association from the
Windows registry.

Shane Coursen, a virus expert and CEO of WildList Organization
International, said the "save" vulnerability, like the SWF/LFM-926
virus, was "mainly academic" and unlikely to affect many people.

"Since these flaws only affect the authorware version of Flash, it's
unlikely they'll be exploited in a widespread way," said Coursen.

Still, Coursen advised sites hosting Flash content to redouble their
efforts to ensure the security and authenticity of their SWF files.

Vengy's advisory on the Flash "save" vulnerability is at
http://www.geocities.com/cyber_flash5/

Macromedia's technical note on the "exec" hole is at
http://www.macromedia.com/support/flash/ts/documents/standalone_update.htm
 
A description of the SWF/LFM-926 virus is at
http://www.sophos.com/virusinfo/analyses/swflfm926.html



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY
of the mail.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic