'Flash!' Aaargghh... here to hack every one of us

"If you had known anything about the true nature of the universe, anything at all, you would've hidden from it in terror." Ming the Merciless.
Written by Will Sturgeon, Contributor

"If you had known anything about the true nature of the universe, anything at all, you would've hidden from it in terror." Ming the Merciless.

A new threat is being posed to computer security, with a warning that Macromedia Flash files can be adjusted to compromise a PC or Mac as long as its user views the file in a web browser - or even an email. A flaw found in Macromedia's animation software leaves web surfers vulnerable to attack when they visit an internet site or, even open an email according to security firm eEye Digital Security. An attacker could create a hand-edited Macromedia Flash, or SWF, file that can compromise a PC or Macintosh if its user views the file with the Shockwave Flash Player plug-in for Internet Explorer, Netscape or other browsers. The flaw's danger is compounded by the fact that Flash is so widespread and the software doesn't have a built-in upgrade system, said Marc Maiffret, chief hacking officer for eEye. Maiffret said: "Almost every user is going to have Flash, so they can become compromised. Unless the user is smart enough to get the latest version of Flash, then they are going to be vulnerable." More than 90 per cent of web browsers have the Flash software installed, according to Macromedia. While nearly 53 per cent of web surfers use the latest version, Shockwave Flash Player 6, the number still falls well short of the total, underscoring the problem of convincing people to upgrade. Macromedia warned its developers of the problem last Friday, said Troy Evans, product manager for the Flash Player. He added that the only way to notify software users that they need to get the latest software is by modifying Flash animations to require the newest versions, so the company is focused on getting developers to do more updates. Although getting users to upgrade is a challenge, Evans said, the company has been fairly successful. "We have three million downloads per day, so the players that are out there are getting updated," he said. The flaw affects the Flash plug-in for browsers on Windows, Unix, Linux and Mac. By editing the header of a Flash file, an attacker can cause the file to execute commands and compromise the computer system. In some cases, it's possible to cause HTML email to perform a similar attack, eEye said in its advisory. The danger of flaws that require a victim to go to a specific website tends to be offset by the fact that a website can be shut down fairly quickly. For that reason, a virus that attempts to use a vulnerability in Flash or another web technology usually has a limited effect. In many respects, the flaw resembles another vulnerability that eEye found in the Flash Player in August. That flaw also allowed an attacker to modify the header of an SWF file and cause the Flash Player to compromise the machine on which the software was running. Maiffret said: "The outcome of the attack is basically identical to the one back in August. It just goes to show that the average software company is in great need of real-world security" checking. Robert Lemos writes for News.com
Editorial standards