Security hole found in Flash !

Discussion in 'other security issues & news' started by Technodrome, May 4, 2002.

Thread Status:
Not open for further replies.
  1. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Hi to All,

    A SECURITY HOLE in the way Macromedia's Flash player handles ActiveX content could allow an attacker to run the code of their choice on vulnerable systems, according to a security advisory published by eEye Digital Security late Thursday. Macromedia is offering a new download of the player which fixes the flaw.

    The vulnerability affects the Flash.ocx ActiveX component of the Flash player version 6 revision 23, and may affect earlier versions as well, Aliso Viejo, California, eEye said in its alert. The Flash.ocx component is installed with Internet Explorer, as well as with the Flash player, eEye said.

    A buffer overflow in Flash.ocx could allow an attacker to run code of their choice on a vulnerable system when a user reads an HTML (Hypertext Markup Language) -formatted e-mail containing attack code, visits a Web site with attack code in it or uses Internet Explorer to display any other third party HTML, eEye said.

    EEye said that Macromedia, based in San Francisco, was already aware of the issue when it contacted the company and that the latest version of the Flash player fixed the flaw. Users should upgrade to the latest version of the Flash player, version 6 revision 29, eEye said.

    The updated Flash player can be downloaded at http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash.

    source: infoworld

    Technodrome
     
  2. snowman

    snowman Guest

          ok this one has me confused.......the link above posted leads to a download of the "flash" for Netscape  4.7 ....a further search of the website revealed a "flash" download for Internet explorer-Aol    .....but there are no revision numbers listed........so which..what download is correcto_O

           I use IE.....netscape is also on my computer....does this mean I need to download "two" differant versions....or....is one download of the update workable on both IE and Netscape?

                           snowman


       * any wonder why people are frustrate with downloading updates..........this one has feeling like not even wasting my time.
     
  3. snowman

    snowman Guest

           To heck with it.....in less than one minute I un-installed macromedia out of my os.....was sure alot easier than trying to sort through the confusion




                         snowman
     
  4. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    If you open this link in IE you will download Flash player  update for IE. If you wish to download it for Netscape then open it in Netscape.

    I use IE and I got this:
    Download Time Estimate: 1 minute @ 56K modem
    Version: 6,0,29,0 -------------> Version of Flash Player
    Platform: Windows
    Browser: Internet Explorer
    File size: 383 K
    Date Posted: 5/1/2002 -----> The most recent version
    Language: English

    You need to download it separate for each browser!


    Technodrome
     
  5. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Hi,snowman!

    I noticed when I did it that Netscape was a little more bothersome to do (might be because I'm running an older version). I had to d/l the file to the desktop, click on it there to get it to install, etc., etc.

    It was also interesting to note that apparently it knew Opera was on my computer, because it had both Opera and Netscape high-lighted as being programs that were going to get the updated Flash. (Opera wasn't running at the time). Went ahead and did the update and now all three browsers are (supposedly) covered  - I did IE separately. HTH Pete
     
  6. snowman

    snowman Guest

            TECH  and SPY1

            Thanks guys.....alittle help from some you guys did the trick.........

            this was the most troublesome download I've made so far this year.....in part because of me...the download site could not "see" that I am using internet explorer.....an kept offering the install for netscape

          once you guys posted replies I realized that it had to be my settings causing the problem....it was.   an the install for internet explorer is now complete.....also have downloaded the install for netscape an will install it later...this mess made my head hurt  LOL

           Pete thats rather odd that it could "see" opera...but fortunate that it did.    

          my first re-action was wondering how many users would download the wrong install an then think they were safe....either by not knowing that each browser needed a replacement....or by being directed to the wrong install as in my case....(which I admit was my error..caused by computer settings) ...when all the company needs to do is place a small notice saying that seperate installs are needed.

          well..anyone reading this thread will know now....so some good came of this.

                       again..my thanks...if not for your replies I would have not made the upgrades...an just left it un-installed in my os.


                                snowman
     
Loading...
Thread Status:
Not open for further replies.