Flash, bang, wallop - you're own3d
Macromedia patches 'critical' security bug
Security researchers have discovered a vulnerability in Macromedia's Flash Player that creates a mechanism for hackers to attack the PCs of users running the popular application. The security bug - described as critical - affect Macromedia Flash Player 6.x and 7.x. Macromedia has issued security updates.
The flaw stems from a failure to reject malformed SWF files as invalid. This bug might be exploited by using specially crafted (malformed) SWF file to execute arbitrary code on the machines of users induced into visiting sites under the control of hackers.
Flash Player version 184.108.40.206 and prior on the Windows platform, and in versions prior to 220.127.116.11 on Unix, are reportedly vulnerable. Users are advised to upgrade to Flash Player 8 (18.104.22.168) or apply a Flash Player 7 update (22.214.171.124 or 126.96.36.199) in order to guard against possible attack. An advisory from Macromedia explaining the security glitch can be found here. The bug was independently discovered by Fang Xing of eEye Digital Security (advisory here) and Bernhard Mueller of SEC Consult (advisory here). ®