Tuesday, November 8, 2005 |
10:58 - Flash security hole
http://www.techweb.com/wire/security/173500401
|
(top) |
Here's something that ought to be of interest to, well, just about everybody:
Macromedia's Flash has a critical bug that leaves all browser users armed with the popular media player open to attack, a security firm announced late Friday.
The vulnerability, said eEye Digital Security, the Aliso Viejo-Calif.-based company that discovered the flaw, is in the code of Flash.ocx, the component responsible for playing back .swf files (Flash content files). An attacker who manages to entice a user to a malicious Web site with a malformed Flash file could grab control of the PC, said eEye, if that user was running Windows with Administrator rights.
"We've assigned it our "High' rating, which means the vulnerability allows for code execution," said Steve Manzuik, the research team lead at eEye. "There's one caveat: it happens in the context of a logged-in user. But with the number of people running, say, Windows XP Home as an Administrator, that's still dangerous."
This is being presented as a Windows-platform vulnerability, but it's not browser-specific, and it may not be platform-specific either, so be sure to update regardless. (It's curious that the latest version of Flash seems to have been posted on September 12, though.)
It's instructive to note, though, that (as the last quoted line reflects) this is a lot more dangerous on platforms where users fall easily into the trap of running under Administrator-class accounts. Mac OS X, where admin duties are executed in "sudo" style, is a lot less exposed—though that's small comfort if all your personal data gets waylaid.
|
|