03-17-2006, 12:15 AM
Complete text from my alert email below:
Yesterday, Macromedia released an alert describing a critical security vulnerability in their popular Flash Player. By enticing one of your users into downloading and playing a maliciously crafted Flash (.SWF) file, an attacker could exploit this flaw to execute code on your user's computer, potentially gaining complete control of the victim's machine. Administrators should download and deploy Flash Player 8.0.24.0 throughout their network as soon as possible.
Exposure:
Macromedia Flash Player displays interactive Web content called Flash, which often comes in the form of a Shockwave file (.SWF). Macromedia's Flash player ships by default with many Web browsers, including Internet Explorer (IE). It also runs on many operating systems.
In yesterday's alert, Macromedia warns of some critical security vulnerabilities in Flash Player 8.0.22.0, and all earlier versions. Unfortunately, Macromedia chooses to omit almost all details describing these critical flaws, except the fact that they flaws all relate to Shockwave flash files (.SWF) and can be exploited with the same result. By enticing one of your users into downloading and playing a maliciously crafted Shockwave Flash file (.SWF), an attacker can exploit any of these vulnerabilities to execute code on your user's machine with that user's privileges. In order to deliver his booby-trapped Flash file to your users, the attacker would probably host it on a Web site or send it via an HTML e-mail. Since most Windows administrators grant their users local administrative privileges, an attacker could probably exploit this flaw in a Windows environment to gain complete control of the victim's system.
Unfortunately, Macromedia's alert doesn't explicitly say which operating systems these flaws affect. Reading between the lines based on the recommended downloads, we believe Windows, Macintosh OS X, Linux, and Solaris are all affected. To best protect yourself, we recommend you update to the latest version of Flash Player as soon as possible, regardless of which platform you run it on.
Solution Path:
Macromedia has released Flash Player v 8.0.24.0 (and, for some platforms, 7.0.63.0) to correct this vulnerability. We recommend you download and deploy Macromedia's latest flash player throughout your network as soon as possible, regardless of the operating system you run it on. Note that if you open the download link using Internet Explorer, you'll see a page that, by default, will send you both the Flash update and Yahoo! Toolbar. We recommend you disable the option of receiving Yahoo! Toolbar, which is not needed for fixing the Flash vulnerability.
Yesterday, Macromedia released an alert describing a critical security vulnerability in their popular Flash Player. By enticing one of your users into downloading and playing a maliciously crafted Flash (.SWF) file, an attacker could exploit this flaw to execute code on your user's computer, potentially gaining complete control of the victim's machine. Administrators should download and deploy Flash Player 8.0.24.0 throughout their network as soon as possible.
Exposure:
Macromedia Flash Player displays interactive Web content called Flash, which often comes in the form of a Shockwave file (.SWF). Macromedia's Flash player ships by default with many Web browsers, including Internet Explorer (IE). It also runs on many operating systems.
In yesterday's alert, Macromedia warns of some critical security vulnerabilities in Flash Player 8.0.22.0, and all earlier versions. Unfortunately, Macromedia chooses to omit almost all details describing these critical flaws, except the fact that they flaws all relate to Shockwave flash files (.SWF) and can be exploited with the same result. By enticing one of your users into downloading and playing a maliciously crafted Shockwave Flash file (.SWF), an attacker can exploit any of these vulnerabilities to execute code on your user's machine with that user's privileges. In order to deliver his booby-trapped Flash file to your users, the attacker would probably host it on a Web site or send it via an HTML e-mail. Since most Windows administrators grant their users local administrative privileges, an attacker could probably exploit this flaw in a Windows environment to gain complete control of the victim's system.
Unfortunately, Macromedia's alert doesn't explicitly say which operating systems these flaws affect. Reading between the lines based on the recommended downloads, we believe Windows, Macintosh OS X, Linux, and Solaris are all affected. To best protect yourself, we recommend you update to the latest version of Flash Player as soon as possible, regardless of which platform you run it on.
Solution Path:
Macromedia has released Flash Player v 8.0.24.0 (and, for some platforms, 7.0.63.0) to correct this vulnerability. We recommend you download and deploy Macromedia's latest flash player throughout your network as soon as possible, regardless of the operating system you run it on. Note that if you open the download link using Internet Explorer, you'll see a page that, by default, will send you both the Flash update and Yahoo! Toolbar. We recommend you disable the option of receiving Yahoo! Toolbar, which is not needed for fixing the Flash vulnerability.