Johannesburg, 16 Apr 2003
IT security specialist Beyond Security Ltd has issued an immediate security advisory regarding a high risk vulnerability discovered in global multimedia group Macromedia`s Flash software. The vulnerability allows an attacker to gain sensitive information about users of its Flash software while surfing the Web.
The vulnerability lies within a segment of the Flash code known as `Click Ad` which is utilised by most online ad banners to gain information about the user. If this weakness is exploited it will allow an attacker to drastically modify the information a user sees, possibly replacing the original advert with his own. Such an exploit might also allow an attacker to retrieve sensitive information from the user (ie cookies) or even steal the user`s username and password for the affected Web site.
The problem was discovered in coordination with the Japanese information security company Vagabond, Beyond Security`s business partner in Japan. The companies have an extensive common history of discovering security vulnerabilities, and were both previously involved in uncovering a critical vulnerability inside the code of leading certificate authority Verisign which, at the time, allowed an attacker to forge certificates issued by Verisign to its protected client sites.
Beyond Security has been in contact with Macromedia regarding the current Flash Bug, and both companies have worked together to resolve the issue.
Macromedia announced that all of its larger client Web sites using the technology have been notified, and have fixed the problem, where it related to them.
Macromedia`s Flash technology is used by almost 500 million Internet browsers around the globe, primarily as a multimedia content enabler, and one of its many features is presenting online interactive ads. These ads, while providing useful information to legitimate site advertisers, can also become a security risk, as revealed.
Full information about the vulnerability can be found on Beyond Security`s information security portal at http://www.securiteam.com/securitynews/5XP0B0U9PE.html
Share