ActiveX flaw exposes Flash users to hackers

Updated: A flaw in the Flash ActiveX control could let hackers execute malicious code on computers with the multimedia client

An exploit has been discovered in Macromedia's Flash player that could let hackers execute malicious code on a user's computer.

According to Macromedia, more than 436 million copies of the Flash player have been downloaded from its site, accounting for 98 percent of Web users.

The exploit appears to have been independently discovered by Macromedia, which has already issued a fixed version of the Flash player, and by security software firm eEye Digital Security, which was credited last year with discovering and naming the Code Red virus.

Marc Maiffret, chief hacking officer at eEye, attributed the Macromedia Flash flaw to a buffer overflow vulnerability connected to an ActiveX control called Flash.ocx. "This attack can be performed via some HTML email clients, as well as when visitors visit malicious Web sites," he said.

EEye said it had confirmed the vulnerability in Flash Version 6, revision 23 which, it said, would "include most installations on Windows". Older versions of Flash could be affected, said eEye, and while the company admitted it had not tested them, it said that people who have an older version of Flash that is not affected may be forced to "upgrade" to the affected version because the OCX is signed by Macromedia.

EEye said it alerted Macromedia on Wednesday, and was told that Macromedia had just released a new revision. "We tried the link they gave us and it did indeed fix the problem," said eEye.

Flash Version 6, revision 29 can be downloaded from here.

EEye said it decided to make the vulnerability public because the signed OCX control has been downloaded "by an untold number of people, and potentially could still be used in an exploit scenario against those without the latest OCX." Furthermore, said eEye, this issue was found in the wild, "and it is not safe to assume it could not be found by others with malicious intent. Nor do we believe it is safe to assume this has not been found by users with malicious intent."

Troy Evans, product manager for Flash player, said the vulnerability only exists in Flash 6, revision 23, and does not affect previous versions of Flash. Revision 23 of the player is the first publicly available version of Flash 6, and was posted for download on Macromedia's site a month ago amid a flurry of publicity.

"The latest studies show we have a 3.3 percent penetration with this player," said Evans. "We have updated the deployment, and people are being redirected to revision 29," he said.

Evans said he had not heard of any reports of the exploit affecting users. "We have been working with eEye, but we did discover this ourselves." Macromedia had no issue with eEye publicising the vulnerability, said Evans. "The general public should be aware of issues that could affect them."

This is not the first security scare with Macromedia Flash. In January, antivirus companies warned PC users that future Macromedia Flash movies could carry malicious viruses and worms after an unknown virus writer sent just such an infectious program to UK antivirus company Sophos. Dubbed SWF/LFM-926, the program did little but infect Flash files on a PC when the movie is played.


For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.