Potential security issue with the stand-alone Macromedia Flash Player 5
Issue
Macromedia was informed of a potential issue with the stand-alone involving the Macromedia Flash Player 5 running on Microsoft Windows. After testing by both Macromedia and Sophos Anti-virus, the company who initially reported this, Macromedia has found that this issue can only affect content that is sent via e-mail or downloaded from a website and run outside a browser in the stand-alone Macromedia Flash Player 5. This risk has been removed from the stand-alone Macromedia Flash Player 6.
In either case, the risk only occurs when malicious content is played back in a Macromedia stand-alone Flash Player 5. This player is not installed by any browser installation, and is only installed with the Macromedia Flash authoring product.
The stand-alone player is available in two forms:
- A version used by developers to test and build stand-alone projectors that is installed with Flash Authoring product.
- A stand-alone Projector, or executable application, that is compiled by a developer and distributed via e-mail or website download.
Because neither of these stand-alone players are installed through a web browser, this does not present a risk to the average web user.
The behavior of this particular reported virus, SWF/LFM-926, is as follows:
- When executed on a Windows operating system, the virus displays a message saying "Loading Flash Movie".
- The virus then creates a program that infects only other Flash files on the same system with the same virus.
The stand-alone player installed with Macromedia Flash 5 also supports an undocumented action. This action can be used to take advantage of this vulnerability in a similar manner to the issue described above. The solution described below is a solution that will also address this risk. For more information on this issue, refer to Potential security issue with FSCommand "Save" (TechNote 16200).
Solution
Users who have the stand-alone Macromedia Flash Player 5 installed on their machines should take the following precautions:
- Update the stand-alone player.
Download and install the stand-alone Macromedia Flash Player Update for Windows (TechNote 16167). Flash authors should read the TechNote thoroughly before installing.
The updated player eliminates the risk of malicious SWF content being played back in the stand-alone Flash Player. This applies to the stand-alone Flash Player installed on the system, and all Windows Projectors created on the system after update. - Do not open an EXE attachment or file if you do not trust the source!
EXE is a file format for any executable file. These can be programs including installers and Flash projectors, among many other types of files. Even after updating the stand-alone player, do not open these types of files unless you are expecting to receive an EXE from a trusted source.
If you would like to send secure Flash content via e-mail, notify your recipients using another method of contact that the file is safe. Many Flash developers choose instead to publish the content to the web and e-mail a link instead of an attachment.
This content requires Flash
To view this content, JavaScript must be enabled, and you need the latest version of the Adobe Flash Player.
Download the free Flash Player now!
