Tuesday, November 8, 2005
A gaping security hole in Macromedia Inc.'s Flash Player could put millions of Web surfers at risk of PC hijack attacks, the company warned in an advisory.
The vulnerability, which was privately reported to Macromedia four months ago, is rated "critical" and could lead to arbitrary code execution attacks.
The flaw was flagged in Macromedia Flash Player 7.0.19.0 and earlier versions.
"Users who have already upgraded to Flash Player 8 are not affected by this issue. Macromedia recommends all Flash Player 7 and earlier users upgrade to this new version," the company said.
The full disclosure of this vulnerability is at Macromedia, at: http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html
Anybody using a Flash Plugin for their browsers should go to http://www.macromedia.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash to download the patched version.
Wiz
Critical Flaw in Flash Player - Update released
Moderator: Wiz Feinberg
-
Wiz Feinberg
- Posts: 6113
- Joined: 8 Jan 1999 1:01 am
- Location: Mid-Michigan, USA
-
Wiz Feinberg
- Posts: 6113
- Joined: 8 Jan 1999 1:01 am
- Location: Mid-Michigan, USA
It gets worse. Some people aren't aware that they even have Flash Player on their system because it ships with most versions of Windows as part of the default installation package. I just received this security notice from Microsoft and think it behooves me to share it with all other PC users.
<h3>Microsoft Security Advisory (910550)</h3>
<h4>Macromedia Security Bulletin: MPSB05-07 Flash Player 7 Improper Memory Access Vulnerability</h4>
<small>Published: November 9, 2005</small></p>
Microsoft is aware of recent security vulnerabilities in Macromedia Flash Player, a third party software application that also was redistributed with Microsoft Windows XP Service Pack 1, Windows XP Service Pack 2, Windows 98, Windows 98 SE, and Windows Millennium Edition. The Microsoft Security Response Center is in communication with Macromedia and is aware that Macromedia has made updates that are available on their Web site.
Microsoft encourages customers who use Macromedia Flash Player to follow the guidance documented in Macromedia’s Security Bulletin. The Macromedia Security Bulletin describes the vulnerabilities and provides the download locations so that you can install the appropriate update based on the version of Macromedia Flash Player you are using.
If customers are not using Macromedia Flash Player on their system, or customers do not need Macromedia Flash Player, they can disable the ActiveX control in Internet Explorer to help protect against these vulnerabilities. See the “Workarounds” section in this advisory for ways to implement this change.
<hr>
You should read the rest, including the Workaround sections, at: http://www.microsoft.com/technet/security/advisory/910550.mspx
Wiz
<h3>Microsoft Security Advisory (910550)</h3>
<h4>Macromedia Security Bulletin: MPSB05-07 Flash Player 7 Improper Memory Access Vulnerability</h4>
<small>Published: November 9, 2005</small></p>
Microsoft is aware of recent security vulnerabilities in Macromedia Flash Player, a third party software application that also was redistributed with Microsoft Windows XP Service Pack 1, Windows XP Service Pack 2, Windows 98, Windows 98 SE, and Windows Millennium Edition. The Microsoft Security Response Center is in communication with Macromedia and is aware that Macromedia has made updates that are available on their Web site.
Microsoft encourages customers who use Macromedia Flash Player to follow the guidance documented in Macromedia’s Security Bulletin. The Macromedia Security Bulletin describes the vulnerabilities and provides the download locations so that you can install the appropriate update based on the version of Macromedia Flash Player you are using.
If customers are not using Macromedia Flash Player on their system, or customers do not need Macromedia Flash Player, they can disable the ActiveX control in Internet Explorer to help protect against these vulnerabilities. See the “Workarounds” section in this advisory for ways to implement this change.
<hr>
You should read the rest, including the Workaround sections, at: http://www.microsoft.com/technet/security/advisory/910550.mspx
Wiz