Potential security issue with FSCommand "Save"
Issue
Macromedia was recently informed of a potential issue with the standalone Macromedia Flash Player running on Microsoft Windows, to execute malicious code. This issue does not affect any Macromedia Flash content viewed within a browser.
After testing by both Macromedia and the individual who initially reported this, Macromedia has found that this issue can only affect content that is sent via e-mail or downloaded and then run outside a browser in the standalone Flash Player.
Macromedia released an updater on 2/25/02 to the standalone Macromedia Flash Player to fix this issue.
There is a risk with downloading and running any application from the web, aside from applications developed with Macromedia Flash.
The risk occurs when malicious content is played back in the standalone Macromedia Flash Player. There are two forms of the standalone player:
- A version used by developers to test and build standalone projectors that is installed with Flash Authoring.
- A standalone Projector, or executable application, that is compiled by a developer and distributed via e-mail or website download.
Neither of these standalone players play back within a web browser and therefore does not present a risk to anyone surfing the web.
The behavior of this particular reported issue is as follows:
A developer can embed information into a Macromedia Flash file (SWF) running in the standalone player (EXE) on a Windows-based system that can execute external code. As an example, this external code could potentially be malicious, such as launching a virus that can harm a user's machine. Historically, this functionality has been used by developers in positive ways such as launching documents to be printed in an external application.
This functionality will be removed in all future versions of the standalone Macromedia Flash Player.
Solution
FIRST AND FOREMOST: E-mail users should never open or download attachments or data unless they can be sure it is from a trusted source.
- Download and install the Flash Player Updater: flashplayer_updater.zip (498k).
After downloading, unzip the file and run Flash Player Updater.exe. For best results, exit all applications before installing. If the installer is not able to locate the standalone player, please double-check that you do have the standalone Flash Player installed on your system. If the standalone player is not installed, the update is not required.
Note: The update will affect both the standalone Flash Player in the Flash folder and all Windows projectors created on the machine after the update. This update will not preventfscommand "save"calls built into projectors created by outside sources. - Do not open an EXE attachment or file if you do not trust the source!
EXE is a file format for any executable file. These can be programs including installers and Flash projectors, among many other types of files. Even after updating the standalone player, do not open these types of files unless you are expecting to receive an EXE from a trusted source.
If you receive a SWF file or an EXE file from a trusted source, verify with the sender that the content is safe before opening.
Additional Information
Though the risk can be considered limited, Macromedia takes security very seriously. For a description of the potential issue with the previous standalone player, please refer to Potential stand-alone Flash Player issue and security update (TechNote 16154).
For help downloading files, refer to Downloading files from the Internet (TechNote 13686). For more information on fscommand ("exec"), please refer to the ActionScript Reference Guide or Flash Help system.
This content requires Flash
To view this content, JavaScript must be enabled, and you need the latest version of the Adobe Flash Player.
Download the free Flash Player now!
